Skip to main content

Windows malware turns PCs into zombies

(Image credit: Pixabay)
Audio player loading…

A new malware campaign responsible for infecting thousands of Windows PCs worldwide has been discovered by Microsoft.

The Microsoft Defender ATP Research Team found the malware, dubbed Nodersok, and explained in a blog post that it is distributed through malicious adverts which force a Windows system to download HTZ files that are used in HTML apps.

Once a user finds and clicks on the HTZ files on their system, this starts a process that opens Powershell scripts, Excel and JavaScript to download and install the Nodersok malware.

According to Microsoft, the malware is fileless and utilizes living-off-the-land binaries (LOLBins) to tap into exiting tools and functionalities in a Windows System. Nodersok then downloads legitimate modules such as Windivert.dll/sys and Node.exe from the Node.JS framework to carry out its work. However, malicious files and executables are never written to an infected machine's disk.

Nodersok malware

After a system has been fully infected, Nodersok can then turn it into a zombie-like proxy machine used to launch other cyberattacks and even create a relay server that can give hackers access to command and control servers as well as other compromised devices. This helps hackers hide their activity from security researchers looking for suspicious behavior.

In addition to Microsoft, Cisco's security division Talos also discovered the malware and named it Divergent (opens in new tab). Security researchers at the company found that the infected machines were being used to commit click fraud on targeted corporate networks.

In its blog post (opens in new tab), Microsoft researchers explained how they discovered the Nodersok malware campaign, saying:

“The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar. We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry.”

For those concerned about their systems being infected by Nodersok, Microsoft has updated its free antivirus software Microsoft Defender (opens in new tab) to detect the malware.

Via The Inquirer (opens in new tab)

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.