Tue. Feb 25th, 2020

Microsoft found Nodersok malware which infected thousands of PCs

2 min read

The Microsoft Security Blog recently revealed a new malware that is currently taking place in Europe and the United States, and this attack technology can even bypass Microsoft’s security defenses. This malware is called Nodersok malware. The fileless attack technology is a relatively high-level attack technology and therefore poses a challenge to the security defense. Facts have indeed proved that this attack method is very threatening. The fileless attacks that have taken place in Europe and the United States have successfully bypassed Microsoft’s defenses at first until recently Microsoft successfully captured the virus and killed it.

Under normal circumstances, the malware has a main package that needs to be loaded and run on the user’s computer. Since it is loaded, the security software can detect and analyze it. The fileless technology mainly refers to the fact that the virus body always runs in memory, which means that the attacker will never write malicious executable files to disk. Therefore, how to detect such attacks for anti-virus software is quite difficult, and this fileless attack technology seems to be gradually increasing.

In this attack case, hackers used Node.exe and WinDivert tools, which are very popular formal software on the Windows platform. The attacker first loads these tools onto the user’s computer. Since these tools are regular software, Microsoft and other anti-virus software will not intercept them. Then start loading the encrypted script and then perform the decryption in memory. After the decryption, the script runs and connects to the hacker-controlled server to load different commands. These Powershell commands are used to disable Windows Defender and Windows Update. In the end, the real malware is actually a JavaScript script that the attacker uses to turn the user’s computer into a proxy to find a new target computer.

Microsoft believes that the user was attacked originally from HTA format files, and HTA is an HTML-based web application that can carry scripts. Initially, the attacker appeared to induce users to load files in this format through online advertisements. After downloading, the user can execute the application through an IE browser. After execution, the malicious scripts started to connect to the hacker-controlled server to load various tools and commands, and then bypass the detection of security software to run quietly. It is also true that Microsoft also emphasizes that users are better off not implementing HTA-formatted files. HTA-like technologies are now rarely used, so there is definitely malware.

Microsoft has detected such attacks based on Windows Defender defense technology, but at the time Microsoft could not be sure that this was a malicious activity. Until recently, Microsoft observed that the same type of attack soared hundreds of times before determining that it was a malicious activity, and then intercepted by WindowsDefender. Researchers at Microsoft security say that the attack methods used by hackers are elusive, especially because the distributed network architecture used by hackers is very complex.