Microsoft Spots Nodersok Malware Campaign That Zombifies PCs (Sep 26, 2019)
“Nodersok” is a new fileless malicious campaign discovered by Microsoft Defender ATP Research Team. It drops LOLBins with a Node.js-based malware which infects Windows machines and turns devices into proxies. Nodersok is delivered through drive-by downloads, which compromises the target's web browser. This leads to the download of a HTA file delivered either by the user clicking on a malicious link or malvertising. The actors use legitimate Windows tools to spread infections across networks.
Recommendation: Ensure endpoints are secure with updated patches; also make sure users have only standard user accounts and not privileged ones, and use endpoint antimalware tools to protect the devices. These steps need to be completed using a defense-in-depth approach by scanning network connections and email for malware. Because this campaign uses legitimate tools for lateral movement, organisations with behavioural detection capabilities would be able to spot unusual usage.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.