The big picture
The attack relies on an elusive network infrastructure and makes use of advanced fileless techniques.
“Like the Astaroth campaign, every step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys). All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory,” say the researchers from Microsoft.
The primary victims of this campaign have been noted to be consumers, but around 3% of the attacks have been aimed at various organizations.
Analyzing the Nodersok campaign
Infection by the Nodersok is a multi-stage process that downloads multiple components to the infected system.
The malware has also been analyzed by researchers at Cisco, who’re calling it ‘Divergent’.
While the Microsoft report says that the infected machines are turned into proxies for malicious activities, the Cisco report says that attackers use the proxies for click-fraud.