Thousands of consumer PCs have fallen victim to malware that turns them into zombies.
Microsoft calls the malware Nodersok while Cisco Talos calls it Divergent. Either way, the attack is said to primarily target everyday consumers in the United States and Europe and Microsoft says 3% of encounters were seen by organizations in the education, healthcare or financial sectors.
There are conflicting theories as to what the malware actually does. Cisco says the malware was designed to generate revenue using click-fraud, a technique for generating fraudulent charges that costs advertisers billions of dollars each year. Microsoft, on the other hand, believes the malware was created as a relay to access network entities and plant malicious code.
Whatever the case, the attack is quite stealthy as it uses techniques associated with “fileless” malware, or malware that leaves few traces behind for researchers to discover.
“The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar,” Microsoft wrote in a blog post. “We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry. In the days that followed, more anomalies stood out, showing up to a ten-fold increase in activity.”
How to protect your PC from Nodersok/Divergent
As elusive as this newly discovered malware might be, both Microsoft and Cisco promise that their services— Windows Defender and Cisco Advanced Malware Protection (AMP), respectively — can spot and stop the malware. However, not every PC is equipped with those anti-malware defenders and third-party solutions have a tricky time with this particular malware.
If you want to be 100% protected, Microsoft suggests that you don’t run HTA (or HTML applications) on your Windows systems, especially if they can’t trace them back to a legitimate owner.