Categories
Internet Security

Microsoft Warns of a New Rare Fileless Malware Hijacking Windows Computers

Add Your Heading Text Here

Share it:

There’s a new strain of malware making rounds on the Internet that has already infected thousands of computers worldwide and most likely, your antivirus program would not be able to detect it.

Why? That’s because, first, it’s an advanced fileless malware and second, it leverages only legitimate built-in system utilities and third-party tools to extend its functionality and compromise computers, rather than using any malicious piece of code.

The technique of bringing its own legitimate tools is effective and has rarely been spotted in the wild, helping attackers to blend in their malicious activities with regular network activity or system administration tasks while leaving fewer footprints.

Independently discovered by cybersecurity researchers at Microsoft and Cisco Talos, the malware — dubbed “Nodersok” and “Divergent” — is primarily being distributed via malicious online advertisements and infecting users using a drive-by download attack.

First spotted in mid-July this year, the malware has been designed to turn infected Windows computers into proxies, which according to Microsoft, can then be used by attackers as a relay to hide malicious traffic; while Cisco Talos believes the proxies are used for click-fraud to generate revenue for attackers.

The infection begins when malicious ads drop HTML application (HTA) file on users’ computers, which, when clicked, executes a series of JavaScript payloads and PowerShell scripts that eventually download and install the Nodersok malware.

“All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” Microsoft explains.

At last, the malware drops the final JavaScript payload written for the Node.js framework that converts the compromised system into a proxy.

Nodersok Infected Thousands of Windows Users

According to Microsoft, the Nodersok malware has already infected thousands of machines in the past several weeks, with most targets located in the United States and Europe.

While the malware primarily focuses on targeting Windows home users, researchers have seen roughly 3% of attacks targeting organization from industry sectors, including education, healthcare, finance, retail, and business and professional services.

Since the malware campaign employs advanced fileless techniques and relies on elusive network infrastructure by making use of legit tools, the attack campaign flew under the radar, making it harder for traditional signature-based antivirus programs to detect it.

However, the company says that the malware’s “behavior produced a visible footprint that stands out clearly for anyone who knows where to look.”

In July this year, Microsoft also discovered and reported another fileless malware campaign, dubbed Astaroth, that was designed to steal users’ sensitive information, without dropping any executable file on the disk or installing any software on the victim’s machine.

Microsoft said its Windows Defender ATP next-generation protection detects this fileless malware attacks at each infection stage by spotting anomalous and malicious behaviors, such as the execution of scripts and tools.

Categories
Internet Security

How to set up a malware lab to analyze malware samples

Add Your Heading Text Here

Share it:

In this article, we will look at how to set up a lab to test or analyze malware samples statically.

Although Remnux advise malware analyst(s) can make use of its toolkit to reverse engineer malware, we will make use of another tool to reverse engineer malware.

We will make use of Remnux linux distribution(based on Ubuntu) to set up a malware lab.

With Remnux linux, we can:

  • Examine properties and contents of suspicious files
  • Investigate Linux and Windows malware
  • Examine browser malware
  • Analyze malicious document files

You can make use of the following steps to set up a malware lab:

Step 1:

You need to have Vmware on your windows machine or Virtual Box on your linux machine.

Step 2:

If you have installed and downloaded Vmware or VirtualBox, then you can perform the following to install Remnux linux and get it working.

If you are installing Remnux via Vmware, you can perform the following instructions:

(i) Open your Vmware and click on “Open a virtual machine” as shown below:

(ii) Afterwards browse to the download page and choose to the “Remnux Ova file” as shown below:

(iii) Choose a suitable name for the virtual machine and name for the storage path:

(iv) Click on the import button to import the new virtual machine.

(v) Finally power on the new virtual machine to start Remnux linux as shown below in the screenshot: 

Now we have successfully set up a lab to statically analyze malware samples.

In our next article, we will look at how to make the test lab air-tight before we test malware samples.

Author: Michael