Recently, the security community discovered a new fileless malware named Nodersok (in a Microsoft blog) or Divergent (in a Cisco Talos blog), that distributes itself via malicious ads by downloading HTA (HTML application) files on users’ computers. This new campaign started over the summer but has begun to pick up again this September, according to Microsoft.

The infection chain starts by a user clicking on an HTA, or by the browser downloading a malicious ad. This initiates the second download of a javascript, which in turn launches an incognito PowerShell command. This initiates the download of additional encrypted components that will then:

  • Disable Windows Defender and Windows Update
  • Initiate a privilege escalation
  • Download and run WinDivert package capture library
  • And finally, download Node.exe and its payload

According to Microsoft, the malware turns the infected machine into a Proxy, while Talos believes that its primary use is for click-fraud.

Regardless of the final use case intent of the Nodersok malware—and there is no reason to believe it is limited to just one or two use cases—this malware uses legitimate applications like Node.js or WinDivert to distribute its payload. As a result, this makes it very difficult for your legacy anti-malware solutions to identify and block it. Indeed, Microsoft’s blog already shows a detailed list of countries and sectors affected by the malware.

Countries affected by Nodersok campaign Sectors affected by Nodersok campaign

The intent and use case of the Nodersok / Divergent malware represents a prime exploit use case for our ColorTokens Xprotect for Endpoint Protection solution. Xprotect proactively blocks processes from spawning other questionable processes—like, for example, a process within the browser spawning a PowerShell. In fact, Xprotect can block PowerShell from launching based on ancestral rules. So, no process that was spawned from a browser can ever launch a PowerShell – no matter how many other processes are in-path between them.

Protect Against Nodersok Malware

[Image: Xprotect Rule Rings policy view]

This Rule Ring protection would have killed the infection chain at the PowerShell spawning stage. This is the default behavior of Xprotect for endpoint protection.

Of course, it is important to identify malicious processes on a system and block them. But it is very hard to identify every attack – including zero-days – in real-time and block them. This is why it is essential to deploy a ZeroTrust architecture and block applications from spawning other processes or accessing the Internet—unless there is a valid reason for them to do so.