Nodersok
Malware developers are continuing to experiment with the so-called 'living-off-the-land binaries' techniques, also called for LOLBins for short. This is simply a shorter name used to describe cases in which malware uses legitimate tools or operating system components to execute harmful tasks that might be seen as legitimate by anti-virus software since they are being carried out by trustworthy services. One of the latest examples of malware that makes use of LOLBins is Nodersok. In fact, Nodersok uses living-off-the-land binaries in all stages of its attack, and it never writes a corrupted file on the target's machine.
Nodersok Makes Use of Legitimate Tools to Hide Its Activities
Before delving into Nodersok's attack techniques, it is important to mention what the ultimate purpose of this malware appears to be. It plants a proxy script written in JavaScript, and more specifically, the Node.JS framework. This turns the infected machine into a dormant proxy server that the attackers could use for all purposes – send email spam, click fraud, or simply make it a part of the infrastructure used in their next threatening campaign.
The activity of the Nodersok has been very loud in the past few weeks, as the malware managed to infect thousands of computers in the United States and Europe. Another statistic worth mentioning is that most of the infected machines are home computers, and only 3% of the attacks are against enterprise targets. As mentioned earlier, a file with unsafe behavior is never written to the target's computer and, instead, all stages of the attack are carried out via encrypted scripts and snippets of code that get decrypted while being run. Below is a short explanation of the attack stages that Nodersok uses:
- The user downloads a '.HTA' file that may be delivered to them via corrupted advertisements. The file is hosted on a legitimate service like CloudFront to minimize red flags.
- When the '.HTA' file is run, the JavaScript code inside will initialize the download of another file that contains JavaScript – either a '.JS' file or an '.XSL' one.
- The component delivered during the second stage will execute a decryption routine that ends up revealing a PowerShell command that will be executed silently.
- When the PowerShell commands are run, the Nodersok malware will proceed to download other LOLBins.
The tools downloaded during the last stage are:
- A PowerShell script that tries to disable embedded Windows security features.
- A pre-made shell code that may give the malware administrator privileges.
- Windivert, a tool used to capture network packets.
- The NodeJS framework.
- App.js, which is a NodeJS framework module that will turn the infected machine into a proxy.
The Nodersok Malware Transmutes Its Network Infrastructure Regularly
Apart from the complicated multi-stage attack technique that makes use of LOLBins, the attackers also have configured a clever network infrastructure that is modified regularly to cover their tracks. The domains used to host the additional JavaScript code downloaded during the attack are replaced every 2-3 days, and all records related to them are wiped out.
Having the Nodersok malware turn your computer into a proxy can hide many risks since the attackers can use your computer to carry out threatening operations while redirecting all traffic through your machine. To be protected, you should invest in a reputable anti-virus tool. Of course, you also should try browsing the Web more safely by avoiding suspicious websites and declining to download files from unknown sources.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.