Technology giant Microsoft recently discovered a new malware campaign targeting thousands of computers across the world. The malware, dubbed Nodersok, developed to infect computers will turn them into proxies for launching cyber-attacks.
Security researchers at Microsoft stated the attack begins when a user downloads the HTML application (HTA) file named Player1566444384.hta. Researchers stated the malware has infected thousands of computers across the world targeting various sectors including Healthcare, Finance, Transport, Aerospace, and Education, mainly in the U.S. and Europe.
“The attack begins when a user downloads and runs an HTML application (HTA) file named Player1566444384.hta. The digits in the file name differ in every attack. Analysis of Microsoft Defender ATP telemetry points to compromised advertisements as the most likely infection vector for delivering the HTA files. The mshta.exe tool (which runs when an HTA file runs) was launched with the embedding command-line parameter, which typically indicates that the launch action was initiated by the browser,” Microsoft said in a statement.
According to the researchers, Nodersok campaign delivers two legitimate tools to infect computers. One is Node.exe, a Node.js framework that’s used in applications, and another is WinDivert, a network capture utility. These tools are not vulnerable or malicious but install unusual tools to change the infected machines into zombie proxies.
“This infection chain was consistently observed in several machines attacked by the latest variant of Nodersok. Other campaigns (possibly earlier versions) with variants of this malware (whose main JavaScript payload was named 05sall.js or 04sall.js) were observed installing malicious encoded PowerShell commands in the registry that would end up decoding and running the final binary executable payload,” Microsoft added.
Last month, Microsoft revealed two new security flaws in its Windows Desktop Services package. However, the technology giant clarified that it has fixed both the vulnerabilities. Security officials at Microsoft stated that the two vulnerabilities, dubbed CVE-2019-1181 and CVE-2019-1182, can be exploited by attackers to launch Wormable Attacks that spread across different network systems without a user’s knowledge.
Microsoft also stated the present flaws are similar to the vulnerability known as BlueKeep (CVE-2019-0708), which was patched in May 2019. The infected versions of Windows due to the flaws included, Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2, and other versions of Windows 10. However, Windows Server 2003, Windows XP and Windows Server 2008 are not affected due to the flaws.
