A newly discovered strain of malware transforms PCs into what Microsoft ominously calls “zombie proxies” using otherwise legitimate programs, and the company claims it’s infected thousands of computers across the U.S. and Europe.
Microsoft and Cisco’s Talos researchers both released reports this week that outlined this cyber threat, which the companies call Nodersok and “Divergent” respectively.
These malware campaigns have the same purpose regardless of the name: to get users to download and run an HTML application (HTA) most likely distributed through malicious ads. This triggers an elaborate hacking process that leaves few traces because it leverages existing programs or downloads legitimate tools like NodeJS, an app that executes Javascript outside of a web browser, and WinDivert, an app used to capture and divert network packets.
“All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” a Microsoft blog post reads. Because of that, cybersecurity experts call these attacks using these methods “fileless” campaigns.
After the malware disables Windows Defender, which explains how it’s avoided tripping the anti-virus software for so long, and can take control of a PC, however, Microsoft and Cisco researchers are divided on its ultimate objective. Microsoft believes attackers use this proxy to access other networks and “perform stealthy malicious activities. Meanwhile, Cisco Talos argues the malware shares several characteristics with other viruses designed to conduct click-fraud, a tactic that cost advertisers an estimated $19 billion last year alone according to Forbes.
Either way, Microsoft states that the campaign has infected thousands of machines, with most attacks conducted this month and targeted at consumers. Both companies claim their anti-virus software has been updated to detect this malware strain moving forward.
These reports come just months after the National Security Agency urged users to update their Windows machines in the wake of a critical security vulnerability known as BlueKeep, which Microsoft patched back in May.
