Microsoft and Cisco’s Talos researchers have both released reports this week that outline a cyber-threat, where a newly discovered strain of malware transforms PCs into what Microsoft ominously calls “zombie proxies”. It uses otherwise legitimate programs, and the company has claimed it has infected thousands of computers across the US and Europe. According to a report, the companies call the malware Nodersok and “Divergent” respectively.
According to a Microsoft blog post, all of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted. These are then decrypted, and run while only in memory. No malicious executable is ever written to the disk and thus, cybersecurity experts call these attacks using these methods “fileless” campaigns. The blog further explains that the malware disables Windows Defender, which explains how it has avoided tripping the anti-virus software for so long, and take control of a PC. Nodersok can then turn the PC into a zombie-like proxy machine which can be used to launch other cyberattacks and even give hackers access to command and control servers. Microsoft states that the campaign has infected thousands of machines, with most attacks conducted this month and targeted at consumers.