Experts On Fileless Malware Campaign Abuses Legitimate Tools Node.js And WinDivert

An attack campaign targeting primarily the U.S. and Europe is leveraging two legitimate tools, the Node.js framework, and WinDivert, to install “fileless” malware that appears to either turn victims’ systems into proxies or perpetrates click fraud.

Microsoft, which discovered the campaign in mid-July, said thousands of machines have been targeted in the last several weeks alone, the majority of which belong to consumers.

Users are typically infected while browsing online, either by clicking on a malicious HTA file or when served a malvertisement. The JavaScript code in the HTA file downloads a second-stage component, which in turns launches PowerShell commands by hiding the encoded command text inside of an environment variable. These commands then download and execute multiple encrypted components with various functions. Among these components are Node.exe from Node.JS — a framework that can execute JavaScript outside of a web browser — and a shellcode to run WinDivert (Windows Packet Divert), a user-mode packet capture-and-divert package.

Experts Comments

October 01, 2019
Nilesh Dherange
CTO
Gurucul
Here’s the problem: traditional antivirus and anti-malware security software aren’t looking for fileless malware attacks. Fileless malware is malicious code that exists only in memory. Because this type of malware never gets installed on the target computer’s hard drive, it doesn’t exist as a file, so it eludes intrusion prevention systems and antivirus programs. Behavior analytics leverage machine learning models tailored for this exact type of malware and will identify unusual spikes.....Read More
Here’s the problem: traditional antivirus and anti-malware security software aren’t looking for fileless malware attacks. Fileless malware is malicious code that exists only in memory. Because this type of malware never gets installed on the target computer’s hard drive, it doesn’t exist as a file, so it eludes intrusion prevention systems and antivirus programs. Behavior analytics leverage machine learning models tailored for this exact type of malware and will identify unusual spikes in PowerShell processes. It will detect if someone who is not a system administrator attempts to execute a PowerShell command. If a server has not been scanned in a while and it suddenly begins doing odd things, such as attempting to communicate to IP addresses that aren’t normal, this is anomalous behavior. Behavior analytics models looking for fileless malware will detect this abnormal behavior and will track that server closely to ensure that it has not been compromised by fileless malware.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.