“Divergent” and “Nodersok” are the names given to payload which utilizes Node.exe which is an implementation of NodeJS by Microsoft.
WinDivert is a package capture tool used to make up the malware. According to a report published by Microsoft, thousands of PCs using Windows have been infected. The USA and Europe are the main targets for the attack. There are only 3% of the total targets which are organizations and the remaining are mainly consumers. The path that the malware chooses to evade detection is the characteristic which classifies the malware into “fileless malware category”.
Users are supposed to download an HTML file which doesn’t look suspicious but helps the execution of the attack. WinDivert is further used as a technique called “living off the land”, which helps to evade the antivirus signatures. The malware disables Windows Defender and develops an effective guard against detection. Microsoft has reported that malware’s aim is to perform malicious stealthily activities whereas Talos argues that it is used for click fraud. Microsoft has stated:
“Like the Astraroth campaign, every step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe,powershell.exe) or downloaded third-party ones (node.exe,Windivert.dll/sys). All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk.”
In short, Microsoft has appealed to its users to take better precautions and stay safe. People should understand that its not only the executable files that can spread a virus. Any type of file from an untrusted source could be used by the attackers to spread malware.
Use NPAV for complete protection against malware attacks.