Fileless Malware

Fileless Malware

Fileless Malware- Watch out Windows users!

There’s a new strain of malware making rounds on the Internet that has already infected thousands of computers worldwide and most likely, your antivirus program would not be able to detect it.

Why? That’s because, first, it’s an advanced fileless malware and second, it leverages only legitimate built-in system utilities and third-party tools to extend its functionality and compromise computers, rather than using any malicious piece of code.

The technique of bringing its own legitimate tools is effective and has rarely been spotted in the wild, helping attackers to blend in their malicious activities with regular network activity or system administration tasks while leaving fewer footprints.

Independently discovered by cybersecurity researchers at Microsoft and Cisco Talos, the malware — dubbed “Nodersok” and “Divergent” — is primarily being distributed via malicious online advertisements and infecting users using a drive-by download attack.

First spotted in mid-July this year, the malware has been designed to turn infected Windows computers into proxies, which according to Microsoft, can then be used by attackers as a relay to hide malicious traffic; while Cisco Talos believes the proxies are used for click-fraud to generate revenue for attackers.

Multi-Stage Infection Process Involves Legitimate Tools


fileless malware attack flow

The infection begins when malicious ads drop HTML application (HTA) file on users’ computers, which, when clicked, executes a series of JavaScript payloads and PowerShell scripts that eventually download and install the Nodersok malware.

“All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” Microsoft explains.

As illustrated in the diagram, the JavaScript code connects to legitimate Cloud services and project domains to download and run second-stage scripts and additional encrypted components, including:

  • PowerShell Scripts — attempt to disable Windows Defender antivirus and Windows update.
  • Binary Shellcode — attempts to escalate privileges using auto-elevated COM interface.
  • Node.exe — Windows implementation of the popular Node.js framework, which is trusted and has a valid digital signature, executes malicious JavaScript to operate within the context of a trusted process.
  • WinDivert (Windows Packet Divert) — a legitimate, powerful network packet capture and manipulation utility that malware uses to filter and modify certain outgoing packets.

Read More Here

Article Credit: The Hacker News

Leave a Reply

Your email address will not be published.