Subscribe to our Newsletter

By subscribing, you’ll get exclusive invites to webinars, events by security experts, threat alerts and cybersecurity tips delivered to your inbox.

We are committed to your privacy and won't ever share your information with 3rd parties

Thank you for subscribing to our newsletter.

October 3, 2019 11:48 am | 1 Comment
October 3, 2019 11:48 am | 1 Comment

Colortokens Protects Against Nodersok Malware


Avatar Scott Emo

Recently, the security community discovered a new fileless malware named Nodersok (in a Microsoft blog) or Divergent (in a Cisco Talos blog), that distributes itself via malicious ads by downloading HTA (HTML application) files on users’ computers. This new campaign started over the summer but has begun to pick up again this September, according to Microsoft.

The infection chain starts by a user clicking on an HTA, or by the browser downloading a malicious ad. This initiates the second download of a javascript, which in turn launches an incognito PowerShell command. This initiates the download of additional encrypted components that will then:

  • Disable Windows Defender and Windows Update
  • Initiate a privilege escalation
  • Download and run WinDivert package capture library
  • And finally, download Node.exe and its payload

According to Microsoft, the malware turns the infected machine into a Proxy, while Talos believes that its primary use is for click-fraud.

Regardless of the final use case intent of the Nodersok malware—and there is no reason to believe it is limited to just one or two use cases—this malware uses legitimate applications like Node.js or WinDivert to distribute its payload. As a result, this makes it very difficult for your legacy anti-malware solutions to identify and block it. Indeed, Microsoft’s blog already shows a detailed list of countries and sectors affected by the malware.

Countries affected by Nodersok campaign Sectors affected by Nodersok campaign

The intent and use case of the Nodersok / Divergent malware represents a prime exploit use case for our ColorTokens Xprotect for Endpoint Protection solution. Xprotect proactively blocks processes from spawning other questionable processes—like, for example, a process within the browser spawning a PowerShell. In fact, Xprotect can block PowerShell from launching based on ancestral rules. So, no process that was spawned from a browser can ever launch a PowerShell – no matter how many other processes are in-path between them.

Protect Against Nodersok Malware

[Image: Xprotect Rule Rings policy view]

This Rule Ring protection would have killed the infection chain at the PowerShell spawning stage. This is the default behavior of Xprotect for endpoint protection.

Of course, it is important to identify malicious processes on a system and block them. But it is very hard to identify every attack – including zero-days – in real-time and block them. This is why it is essential to deploy a ZeroTrust architecture and block applications from spawning other processes or accessing the Internet—unless there is a valid reason for them to do so.

One Comment

  1. Avatar
    Max Popp October 4, 2019 at 7:37 pm - Reply

    Awesome article Scott! Will be sharing across social media soon.

Leave A Comment