By: Team WTI | Date: September 30, 2019
Categories: Security,
Tags:
Cyber Security,
Virus,
In 2019, cybersecurity researchers at Microsoft (Nodersok) and Cisco Talos (Divergent) uncovered a concerning malware campaign that turned infected computers into “zombie proxies.” This malware, while specific to its time, highlighted crucial techniques that remain relevant in today’s evolving threat landscape. Let’s revisit this campaign and understand its implications for modern cybersecurity.
The Nodersok/Divergent Threat
Nodersok/Divergent was a malware campaign that compromised thousands of computers across the United States and Europe. It utilized a combination of clever tactics to hide its malicious activity:
- Fileless Attacks: The malware primarily operated in memory, avoiding the creation of traditional executable files on the hard drive. This “fileless” approach made it difficult for traditional antivirus software to detect.
- “Living off the Land”: Nodersok/Divergent leveraged legitimate system tools like NodeJS and WinDivert to carry out its malicious actions. This technique, known as “living off the land,” allows malware to blend in with normal system activity.
- Infection Vector: The malware was often distributed through malicious HTML applications, typically delivered via compromised ads or other deceptive methods.
- Zombie Proxies: Infected computers were transformed into “zombie proxies,” allowing attackers to route malicious traffic through them, masking their true origin.
Key Takeaways and Modern Relevance
While the specific Nodersok/Divergent campaign may have evolved, the techniques it employed remain highly relevant:
- Persistence of Fileless Attacks: Fileless malware continues to be a significant threat. Attackers are constantly refining their methods to operate within memory, making detection and removal challenging.
- “Living off the Land” Remains a Challenge: The use of legitimate system tools to carry out malicious actions is a common tactic used by modern malware. This requires advanced detection methods that can differentiate between normal and malicious usage.
- Proxying and Network Obfuscation: The use of infected computers as proxies to hide malicious activity is a persistent threat. This technique is used in various attacks, including botnets and targeted intrusions.
Protecting Yourself
To mitigate the risks posed by these types of threats, consider the following:
- Maintain Up-to-Date Software: Regularly update your operating system, applications, and antivirus software. Security updates often include patches for known vulnerabilities that malware can exploit.
- Use a Robust Antivirus/Anti-Malware Solution: Employ a reputable antivirus/anti-malware solution, such as Microsoft Defender, and keep it updated. Modern security software includes advanced detection capabilities for fileless attacks and suspicious behavior.
- Practice Safe Browsing Habits: Be cautious about clicking on links in emails or websites, and avoid downloading files from untrusted sources.
- Strong Passwords and Multi-Factor Authentication (MFA): Use strong, unique passwords for all your online accounts, and enable MFA whenever possible. This adds an extra layer of security.
- Regular Backups: Regularly back up your important data to an external drive or cloud storage. In the event of a malware infection, you can restore your data without losing it.
- If you suspect an infection: Do not attempt to manually remove malware unless you are highly experienced. Use your antivirus software, or seek professional help from a reputable computer repair service.
Conclusion
The Nodersok/Divergent campaign served as a stark reminder of the evolving nature of cyber threats. By understanding the techniques used in such attacks, we can take proactive steps to protect ourselves and our systems. Staying informed and practicing good cyber hygiene are essential in the fight against modern malware.
