NODERSOK

In the last month or so, hard to detect class of malware has been discovered. The malware called Nodersok does not leave an executable which can be detected and removed.

Nodersok hides in HTML applications. Most likely perverted ad servers are being used to distribute the malware to unsuspecting users. All of the relevant functionalities reside in scripts and shellcodes that are almost always encrypted. They are then decrypted and run while only in memory. No malicious executable is ever written to the disk.

When the HTML applications file runs, it tries to reach out to a randomly named domain to download additional JavaScript code. The domains used in this first stage are short-lived: they are registered and brought online and, after a day or two (the span of a typical campaign), they are dropped and their related DNS entries are removed. 

How it works is it uses JavaScript downloads another script which then loads PowerShell. There is an attempt to shut down Windows Defender and Windows Update. The final payload is another JavaScript that attempts to turn the machine into a proxy. Using an environment variable, Nodersok scripts can avoid the command line arguments which could be checked.

The attack begins when a user downloads and runs an HTML application (HTA) file named Player1566444384.hta. The digits in the file name differ in every attack. Cloudfront is not a malicious entity or service, and it was likely used by the attackers exactly for that reason: because it’s not a malicious domain, it won’t likely raise alarms. Similar to the domains used by Appspot, spammers, CloudFront has been used for nefarious purposes.

Microsoft posted some research a few days ago and additional work has been done over the last few days to get a better handle on the extent of this new malware campaign. It is known that the current campaign has been under active development for quite a while as earlier variants have similar characteristics.

Nodersok has targeted “thousands of machines” in recent weeks, according to Microsoft, and that might not let up in the near future. Most machines attacked so far are in education but it’s still early in the cycle. Windows Defender has been updated to handle this new type of attack. Chrome has been hardened as well against many malicious threats. This type of malware is why people should not skip updates. Updated machines have a better chance of avoiding malware. Windows 7 and 8 are not able to protect machines from the class of threat. Windows 10 was redesigned to be better protected from ransomware and hijacking. Nodersok is very crafty in its operation.

It is vital that people upgrade to the latest version of Windows 10 immediately. New classes of malware are being developed that are very insidious. Windows 10 version 1909 is hardened against Nodersok. Always update windows; the security hazards are growing exponentially.

STUXNET

Thanks to the NSA and Mossad and the misguided 2010 cyber warfare against Iran, the world now has to endure a vast amount of new cyberthreats.

The Stuxnet malware was noticed here in 2009 when a JMICRON certificate was found to be improper in the driver stores. By 2010 the malware had spread widely.

The NSA Equation group seems to be responsible for the malware. Besides Stuxnet is the Flame malware. The malware was noticed on CD disks as well as USB sticks from academia. Kaspersky also noticed something was wrong a year earlier in 2008 which is what alerted me to be more vigilant. The Eternalblue exploit in June 27, 2017 led to the development of the WannaCry ransomware attacks. Windows was patched to block it but many did not secure their systems at their peril. Eternalblue attacks the server message blocks (SMB).