Malware analysis

Malware spotlight: Nodersok

January 23, 2020 by Graeme Messina

Introduction

The zombie movie film genre has long been a favorite among horror film fanatics, as shown by the ever-growing number of films that portray an undead apocalypse. Each of these zombie franchises features a different way of causing zombification. 

As life sometimes imitates art, this concept extends to the world of malware. An emerging new malware, analogous to a new zombie franchise, is Nodersok. This newly-discovered malware can turn PCs into zombies with a method never seen before and should be considered a new type of malware altogether. 

This article will detail the Nodersok malware. We’ll explore what Nodersok is, what makes it so dangerous, how it works, who would be using Nodersok (and how are they using it) and how it can be shut down in its tracks.

What is Nodersok?

Nodersok is both a malware and attack campaign with an unknown author and origin. This malware was discovered by both Microsoft and Cisco Talos, who refer to it as Nodersok and Divergent respectively. 

This malware has been seen to take advantage of preexisting tools and use a multi-stage, fileless attack strategy in its attack campaign. These legitimate tools are known as living-off-the-land binaries, or LOLBins, and they already exist on computers. The effect is similar to an abuse-of-system-feature attack, where attackers take advantage of inherent characteristics of systems. If jujitsu or judo comes to mind when thinking of this, you’re on the right track.

What makes Nodersok so dangerous?

There are a couple of reasons why Nodersok should be taken seriously — both of which are used to fly under the radar and avoid detection. First, as mentioned earlier, the tools that Nodersok brings to the cyberattack are relatively mundane and 100% legitimate. These tools are:

  1. Node.exe: This an implementation of Windows’ Node.js framework that is used by many web applications. This means it will go over the heads of most and slip detection
  2. WinDivert: This is a network packet capture utility and would not raise any red flags regarding detection

Second, Nodersok takes advantage of legitimate infrastructure of a compromised system to continually avoid detection. This infrastructure is made up of preexisting LOLBins on the compromised system and includes mshta.exe and powershell.exe. 

The danger of Nodersok’s easy detection evasion is compounded by the fact that nearly every move it makes leverages legitimate infrastructure. Unless you know where to look, you may be blindsided by the attack. Much like victims who don’t know they’ve been infected until it’s too late, users of compromised machines will not find out until their machine is already a zombie.

How Nodersok works

The installation of Nodersok usually happens when the victim runs an infected HTA (HTML application) file via an infected ad or download. A common source of this HTA is an advertisement on an infected website (click fraud). This action triggers a JavaScript file which runs PowerShell commands (legitimate LOLBin) to download tools, capture data packets, disable Windows Defender and request more control. This is referred to as the first-stage JavaScript.

This first-stage PowerShell then launches multiple instances of PowerShell that end up carrying the weight in turning a compromised system into a zombie. This is accomplished by downloading the following list of modules:

  • PowerShell module that can disable both Windows Defender and Windows Update
  • Binary shell code to perform privilege elevation
  • Windivert packet filtering engine — both the capture library and the corresponding shellcode
  • Node.exe. This is a rare tool for malware to use
  • The final zombification payload known as appjs

Who is using Nodersok and what is it being used for?

Another thing that distinguishes Nodersok from other zombifying malware is that it seems to be used only by private individuals and cybercriminal groups. This is important because unlike state-sponsored hackers, private attack groups like these have finite resources — which means finite attack campaigns. 

Nodersok also stands apart from other malware in that where other types including botnets are normally used for DDoS attacks, it has been used nearly exclusively for click fraud purposes. This naturally goes hand-in-hand with click fraud, which has historically been involved in private actor cyberattack campaigns. Putting these two factors together paints a picture of a malware that is used more for criminal financial gain than for anything else.

How to stop Nodersok in its tracks

Despite the novelty of this type of malware, some relatively vanilla information security measures will help avoid Nodersok infection.

Be aware

The most important thing to remember is that Nodersok mainly infects users when they interact with infected ads or download infected files. Users should refrain from visiting websites known to have infected other sites and should never click on ads on these sites should they visit them for some reason. They should also never download files, including email file attachments, from unknown parties. Microsoft has recommended that users never run HTA files to avoid infection altogether.

Be proactive

Using certain antivirus/anti-malware programs and other information security measures can both detect and stop Nodersok. The good thing is many standard programs can get the job done. These include:

  • Microsoft Defender ATP
  • Advanced Malware Protection (AMP)
  • Cisco Cloud Web Security (CWS)
  • Cisco Web Security Appliance (WSA)
  • Meraki MX, Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention Systems (NGIPS)

Conclusion

Nodersok is the new kid on the block of zombifying malware types. After initial infection, compromised systems used already existing legitimate LOLBins and others it downloads to turn a compromised system into an unwitting zombie at the command of its C2 server. 

Researchers have observed that the proverbial bullet to the brain of this malware is a mix of fairly standard information security measures. This further reinforces the need for users to be well-versed in the basics of information security.

 

Sources

  1. Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware, Microsoft 
  2. Malware uses web apps to turn PCs into conduits for attacks, Engadget
  3. Divergent: “Fileless” NodeJS Malware Burrows Deep Within the Host, Cisco Talos Intelligence Group
Posted: January 23, 2020
Articles Author
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.