Nodersok runs on node.exe, WinDivert; disables Windows Defender Antivirus
Microsoft’s threat team has flagged an unusual flavour of malware, which is using an rare combination of techniques to fly under the radar of endpoint detection tools.
The campaign uses “two unusual legitimate tools” to run on infected machines, then relies on an “elusive network infrastructure” to turn them into zombie proxie.
The malware campaign, dubbed Nodersok, went through a “long chain of fileless techniques to install a pair of very peculiar tools” Microsoft said in a Thursday blog published by its ATP Research Team – including the popular Node.js framework.
It also disables (or tries to disable) Windows Defender Antivirus and Windows updates, and runs a binary shellcode that attempts elevation of privilege by using another legitimate Microsoft service; the Microsoft Connection Manager Profile Installer.
What’s so Unusual About Nodersok?
Nodersok, which uses the two legitimate tools to avoid detection, persist, and move laterally – a technique known as living-off-the-land binaries (LOLBins) – delivers Node.exe; the Windows implementation of the Node.js framework and WinDivert a network packet capture and manipulation utility to its target machines.
LOLBin-based malware is, in itself, now no novelty. But Nodersok went through a “long chain of fileless techniques” to install the “peculiar” tools, Microsoft said, and although malware using Node.js has been identified in the past, it remains rare.
(A detailed look at the attack chain can be found here).
The malware campaign initially went undetected, but Microsoft uncovered the campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry, its team said.
(MSHTA.exe is a utility that executes Microsoft HTML Applications).
LOLBins Approach Makes it Hard to Spot
Alarmingly for victims, every single step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys).
This makes it nigh impossible for traditional signature-based detection defence techniques to catch it and stop it at the periphery.
As Microsoft’s APT team puts it: “All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk.”
The attack appears to have been in its early stages, and while the technique to reach the destination is sophisticated, the payload code is “still in its infancy and in development” Microsoft said; adding that it hasn’t observed network requests coming from attackers
It’s the kind of attack that’s a poster child for AI/anomaly detection-based security software and the APT team was keen to emphasise the powers of its own Microsoft Defender APT product in helping identify the series of attacks which primarily hit consumers in the US and Europe, but also professional services and finance customers.