NODERSOK – A Zombie Proxie Apocalypse

In this article, we will be highlighting a recent infectious malware – Nodersok that turns PCs into zombie proxies and how it has impacted computer machines across the world.

Contents:

1. Nodersok – Malware that turns  PCs into  Zombie Proxies
2. What is Nodersok?
3. How does the attack work?
4. Impact of Nodersok attack
5. Fighting the malware Apocalypse

Nodersok – Malware that turns PCs into Zombie Proxies

It’s not that botnets (private computers infected by malicious malware without the knowledge of owner) that can hijack PCs for notorious purposes, but also malware strains. A new malware known as Nodersok has infected thousands of computers across the world. Microsoft uncovered the campaign in mid-July when they saw a suspicious pattern through its Defender Advanced Threat Protection (ATP). Nodersok has victimized thousands of machines Windows users. This fileless malware campaign was majorly detected in the US and the UK, following a spike in activity detected between 5 and 11 September.

Nodersok differs from other malware campaigns as it delivers two unusual legitimate tools, Node.exe (Windows implementation of Node.js framework) and WinDivert (a network packet capture and manipulation utility).  Similar to the Great Duke of Hell, Nodersok adopts a living-off-land-binaries ‘LOLBin‘ methodology to evade detection by hiding under the radar. The interesting fact about Nodersok is that it combines these LOLBins (binaries used as an attacker to perform actions beyond their original purpose) from the machine itself with third-party ones that it downloads. The vulnerable malware went through a long chain of fileless techniques to install a pair of very peculiar tools with one final aim: turn infected machines into zombie proxies.

What is Nodersok attack?

Nodersok (or Divergent) uses web apps to turn systems into proxies for malicious internet traffic. The specialty of the campaign is particularly interesting because it not only employs advanced fileless techniques but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar. Infection by Nodersok is more or less a two-stage attack that downloads multiple components to a user’s PC. According to the researchers, once Nodersok turns machines into proxies, it uses them as a relay to access other network entities (websites, C&C servers, compromised machines, etc) which can allow them to perform stealthy malicious activities. And the proxies created by Divergent are used to conduct click fraud. The digits in the file name differ in every attack.

The majority of targets are consumers, 3% of encounters are observed in organizations in sectors like education, healthcare, finance, professional services, and retail. However, Cisco researchers believe that it was designed for click fraud or the practice of automatically generating ad clicks to boost revenue from websites. The malware is believed still believed to be in active development and there are multiple versions being used, according to the researchers. No malicious executable is ever written to the disk.

How does it work?

Every step of the infection chain runs legitimate LOLBins, either from the machine itself or download third-party tools. All the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, then decrypted, and run only in memory. Following is the described process of the zombie attack:

1. The attack begins when the user downloads and runs an HTML application (HTA).
2. JavaScript code in the HTA file downloads a second-stage component. It runs another JavaScript file or an XSL file containing JavaScript code.
3. The second-stage component launches a PowerShell command (deadbeef) by hiding the encoded command text inside an environment variable (launching additional Powershell instances).
4. The PowerShell commands downloads and runs additional encrypted components. A PowerShell module that attempts to disable Windows Defender Antivirus and Windows Update.
5. A binary shellcode attempts to perform an elevation of privilege.
6. Shellcode runs for Windivert packer filtering engine.
7. Node.exe (from the JS framework) is implemented.
8. The final payload app.js, a JavaScript module written in Node.JS framework turns the machine into a zombie proxy.

Impact of Nodersok attack

The campaign has been victimizing thousands of machines in the last several weeks, most targets located in the United States and Europe. The majority of targets are consumers. Countries affected by the Nodersok malware campaign are United States-60%, United Kingdom-21%, Germany-8%, Italy-5%, Others– 6%. The sectors affected by the campaign are Education-42%, Bussiness and professional services-8%, Healthcare and pharmaceuticals-7%, Finacial-7%, others-36%. According to the researches, the threat doesn’t end with zombification of your computer but further is conducted for click-fraud. Crucially, it is not certain who’s behind Nodersok, as it appears to be meant for everyday criminals rather than hostile countries.

Fighting the malware Apocalypse

While the attacks that exploit LOLBins are pretty smart from a technical perspective, they are not immune to detection. According to cybersecurity researcher -Jake Moore, taking advantage of native Windows binaries is a very clever way to circumnavigate security. Be it a malicious advert or a phishing email, the LOLBin zombie attack has to start somewhere and the user has to click a link at some point or the other. If you happen to engage for protection, there is little to stop it.

The researchers have invested a good deal of resources into developing powerful dynamic detection engines and delivering a state-of- the-art-defense-in-depth through Microsoft Defender APT. Meanwhile, the scripts and codes that are decrypted run directly in memory by Antimalware Scan Interface (AMSI) instrumentation. These multiple layers of protection are a part of the threat and malware prevention capabilities in Microsoft Defender ATP.

The first hurdle being user awareness and education. Malware is mostly being developed for making a profit from forced advertising spreading email spam or extorting money with stealing sensitive information.

Some basic safety measure for removal of malware:

1. Backing up all the files and data regularly or prior to starting the removal procedure.
2. Disconnecting your computer from the internet of ethernet.
3. Removing connected modes like CDs, DVDs and unplugging USBs from your computer.
4. Scanning your computer in safe mode with networking.
5. If you are not able to scan your computer in normal mode, that means specific malware are not allowing you to do it.
6. Restart your computer and hold down the F8 key. And press this key prior to seeing the Windows startup logo.
7. Installing efficient antivirus software is considered to be the only way to stay protected.
8. Avoiding suspicious links, emails or websites is always considered to be good online habit.

This was an awareness about Nodersok malware that turns PCs into zombie proxies and how can it be prevented. The basic to-do listing (mentioned above) can be followed when you detect a malicious infection in your personal computer. Regardless of whether the infected machines were used to create zombies or commit fraud, the nature of the malware means its handlers could equip it with new modules to carry other attacks. The whole point of these vulnerabilities lies in how sophisticated, and arguably slick, malware is getting.