An attack campaign targeting primarily the U.S. and Europe is leveraging two legitimate tools, the Node.js framework, and WinDivert, to install “fileless” malware that appears to either turn victims’ systems into proxies or perpetrates click fraud.
Microsoft, which discovered the campaign in mid-July, said thousands of machines have been targeted in the last several weeks alone, the majority of which belong to consumers.
Users are typically infected while browsing online, either by clicking on a malicious HTA file or when served a malvertisement. The JavaScript code in the HTA file downloads a second-stage component, which in turns launches PowerShell commands by hiding the encoded command text inside of an environment variable. These commands then download and execute multiple encrypted components with various functions. Among these components are Node.exe from Node.JS — a framework that can execute JavaScript outside of a web browser — and a shellcode to run WinDivert (Windows Packet Divert), a user-mode packet capture-and-divert package.
Fileless threat leverages widely used Node.js framework and WinDivert packet-capture utility to turn infected machines into proxies for malicious behavior.https://t.co/Pkvr5Ar9dz#InfoSec #MobileSecurity #Tech #Ransomware #Websecurity #Vulnerability #CyberSecurity #hacking
— USCyberMag (@USCyberMag) September 27, 2019
Experts Comments
Be part of our growing Information Security Expert Community (1000+), please register here.
Linkedin Message
@Nilesh Dherange, CTO, provides expert commentary at @Information Security Buzz.
"Fileless malware is malicious code that exists only in memory. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/experts-on-fileless-malware-campaign-abuses-legitimate-tools-node-js-and-windivert
Facebook Message
@Nilesh Dherange, CTO, provides expert commentary at @Information Security Buzz.
"Fileless malware is malicious code that exists only in memory. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/experts-on-fileless-malware-campaign-abuses-legitimate-tools-node-js-and-windivert