A new malware strain has affected thousands of computers in the U.S. and Europe, reports say.

Microsoft and Cisco Talos researchers have discovered a fileless malware that turns systems in zombie proxies. This malware strain, dubbed “Nodersok” or “Divergent” as per Microsoft and Cisco Talos, respectively, uses both its own components and two legitimate and widely used apps to carry out malicious activities.

Nodersok/Divergent was first discovered over the summer, spread through malicious ads. Those who clicked on the ads inadvertently downloaded an HTA (HTML application) file, which started a complex chain of events involving Excel, JavaScript and PowerShell Scripts, eventually leading to downloading and installing the Nodersok malware.

Nodersok’s components each have its own role to play in the attack. One component works to disable Windows Defender Antivirus before it can be detected, and also attempts to disables Windows Update. Another component works to get the malware system-level permissions.

The malware strain also uses two legitimate apps: Node.js, a well-known developer tool used to run JavaScript on web servers; and WinDivert, an app for capturing and interacting with network packets for Windows 2008, Windows 7, Windows 8, Windows 10 and Windows 2016.

While both Microsoft and Cisco Talos agree that these two apps work to start a SOCKS proxy on infected systems, they differ in what they think the Malware does next. Microsoft said Nodersok turns infected systems into proxies that relay malicious traffic. Cisco Talos, on the other hand, said Divergent turns infected systems into proxies that perform click-fraud.

Nodersok/Divergent’s creators are unknown at the moment. What’s known is that the malware strain has infected “thousands of machines in the last several weeks” in the U.S. and Europe, Microsoft’s telemetry said. Cisco Talos’ analysis reveals that the malware is still in development, and that its creators have plans to monetize it through click-fraud.

Further, Microsoft noted that all the relevant functions of the malware reside in scripts and shellcodes and are run only in memory. No malware programs are copied and stored on the disk (hence "fileless"), making it hard for security teams to detect them and create necessary countermeasures, ZDNet noted.

Petya malware
A new malware that turns infected systems into proxies has been discovered. (Pictured: A view shows a laptop display (right) showing part of a code, which is the component of Petya malware computer virus according to representatives of Ukrainian cyber security firm ISSP, with an employee working nearby at the firm's office in Kiev, Ukraine, July 4, 2017.) REUTERS/Valentyn Ogirenko
RELATED STORIES
Cybercrime Malware Microsoft