Microsoft’s ATP research team has issued a details analysis of a new malware campaign which is pushing boundaries of the state of the art for Fileless malware.  Fileless malware does not leave a noticeable fingerprint on the file-system – it resides only in memory.

Nodersok is interesting because of its use of living-off-the-land techniques; it only uses well known and legitimate Windows components and applications for its nefarious purposes.  Apart from standard Windows components, Nodersok makes use of the Windows implementation of Node.js called Node.exe and a network diagnostic utility called WinDivert.

Nodersok uses a complex chain of Fileless operations to download and install the two ‘friendly’ applications before using them to turn the infected machines into zombie proxies used for a click-fraud campaign.

The infection chain starts when a user is tricked into downloading a HTA (HTML application) files from a malicious advert or email.

The HTA file contains Javascript which downloads and executes another Javascript component, which in turn downloads and executes from memory several PowerShell scripts which disable some Windows Defender elements and download and install the Node.js runtime and WinDivert.   The final payload is a Node.js application which turns the machine into a proxie controlled by the attackers.

Microsoft’s Andrea Lelli said:

The campaign is particularly interesting not only because it employs advanced Fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar. We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry. In the days that followed, more anomalies stood out, showing up to a ten-fold increase in activity

Microsoft’s detailed blog post makes for interesting reading.