Tech-giant Microsoft recently revealed a new malware campaign affecting thousands of Windows computers across the world. This new strain of malware that downloads and installs in the system automatically infecting the system turns into proxies for launching other cyberattacks and performs click-fraud.
The malware, named Nodersok, was first spotted over the summer, circulated via malicious ads that forcibly downloaded HTA which is HTML application files on users’ computers. Users who found and ran these HTA files started a multi-stage infection process involving Excel, JavaScript, and PowerShell scripts that eventually downloaded and installed the Nodersok malware trying to disable Windows Defender and Windows update. The HTML application (HTA) file, named in digits as 1566444384.hta differs in every attack and infection spread out.
According to Microsoft Defender Advanced Threat Protection (ATP) Research team, The majority of targets are consumers, though around 3 percent of encounters are seen in organizations in sectors like education, professional services, healthcare, finance, and retail mainly in Europe and US.
How to Prevent Such Malware?
To prevent infections, the best advice is that users not run any HTA files they get on their computers, especially if they don’t know about the files’ source. Files downloaded from a web page without knowing its authenticity are always a bad sign and shouldn’t be trusted, regardless of its validity.
The complicated part about Nodersok is, however, its use of legitimate apps and in-memory payloads – file-less execution. These two techniques create detecting Nodersok infections much harder for classic signature-based antivirus programs.
Based on Researchers’ study, the malware appears to be still under development, but the illicit actors behind it seem to have a plan to monetize their infections through click-fraud which means the malware is most likely to appear as pop-up window and make users go through it.
