Microsoft and Cisco Talos Discover Malware that Turns PCs into 'Zombie Proxies'

Microsoft and Cisco Talos Discover Malware that Turns PCs into 'Zombie Proxies'

Microsoft and Cisco’s Talos researchers have found that malware gets users to download an HTML application with malicious adds, triggering an elaborate hacking process.

Microsoft and Cisco’s Talos researchers have both released reports this week that outline a cyber-threat, where a newly discovered strain of malware transforms PCs into what Microsoft ominously calls “zombie proxies”. It uses otherwise legitimate programs, and the company has claimed it has infected thousands of computers across the US and Europe. According to a report, the companies call the malware Nodersok and “Divergent” respectively.

The malware campaigns get users to download and run an HTML application (HTA) most likely distributed through malicious ads. Subsequently, this triggers an elaborate hacking process that leaves few traces because it leverages existing programs or downloads legitimate tools like NodeJS, an app that executes Javascript outside of a web browser, and WinDivert, an app used to capture and divert network packets.

According to a Microsoft blog post, all of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted. These are then decrypted, and run while only in memory. No malicious executable is ever written to the disk and thus, cybersecurity experts call these attacks using these methods “fileless” campaigns. The blog further explains that the malware disables Windows Defender, which explains how it has avoided tripping the anti-virus software for so long, and take control of a PC. Nodersok can then turn the PC into a zombie-like proxy machine which can be used to launch other cyberattacks and even give hackers access to command and control servers. Microsoft states that the campaign has infected thousands of machines, with most attacks conducted this month and targeted at consumers.

Next Story