Partner Program Overview
Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.
Learn MoreInfrastructure
Quick Links
Case Study
Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.
Learn MoreFeatured Topic
Newsletter
Recently, the security community discovered a new fileless malware named Nodersok (in a Microsoft blog) or Divergent (in a Cisco Talos blog), that distributes itself via malicious ads by downloading HTA (HTML application) files on users’ computers. This new campaign started over the summer but has begun to pick up again this September 2019, according to Microsoft.
The infection chain starts by a user clicking on an HTA, or by the browser downloading a malicious ad. This initiates the second download of a javascript, which in turn launches an incognito PowerShell command. This initiates the download of additional encrypted components that will then:
According to Microsoft, the malware turns the infected machine into a Proxy, while Talos believes that its primary use is for click-fraud.
Regardless of the final use case intent of the Nodersok malware—and there is no reason to believe it is limited to just one or two use cases—this malware uses legitimate applications like Node.js or WinDivert to distribute its payload. As a result, this makes it very difficult for your legacy anti-malware solutions to identify and block it. Indeed, Microsoft’s blog already shows a detailed list of countries and sectors affected by the malware.
The intent and use case of the Nodersok / Divergent malware represents a prime exploit use case for ColorTokens Xprotect for Endpoint Protection solution. Xprotect proactively blocks processes from spawning other questionable processes—like, for example, a process within the browser spawning a PowerShell. In fact, Xprotect can block PowerShell from launching based on ancestral rules. So, no process that was spawned from a browser can ever launch a PowerShell – no matter how many other processes are in-path between them.
This Rule Ring protection would have killed the infection chain at the PowerShell spawning stage. This is the default behavior of Xprotect for endpoint protection.
Of course, it is important to identify malicious processes on a system and block them. But it is very hard to identify every attack – including zero-days – in real-time and block them. This is why it is essential to deploy a Zero Trust architecture and block applications from spawning other processes or accessing the Internet—unless there is a valid reason for them to do so.
Learn more about ColorTokens Xprotect for Endpoint Protection here.
By submitting this form, you agree to ColorTokens
Terms of Service and
Privacy Policy