Microsoft and Cisco Talos have observed, in two forms, a campaign that exploits several legitimate tools on Windows systems.

One calls itself Nodersok ; the the other, Divergent .

But Microsoft and Cisco Talos seem to have put the finger on the same phenomenon.

In this case, a campaign of dissemination of malware that has the distinction of only exploiting “legitimate” tools, some of which are already present on the targeted systems.

Microsoft and Cisco Talos have observed two different forms, but with the same entry point: an HTML application.

This can be downloaded when the user clicks on an item in his browser or, it hides itself in an advertising banner.

Microsoft emphasizes the use of trusted CDNs to increase the chances of going under radar.

Node.js hijacked

This HTML application is only the first link in the chain.

In the scenario presented by Cisco Talos, it paves the way for the installation of several components to fuel a click fraud activity.

For these purposes, it creates several entries in the Windows registry and integrates its various features.

The oldest version that Cisco Talos has detected dates back to February 2019.

Over time, Divergent has become more discreet, either by maximizing the use of PowerShell scripts or by privileging execution in memory.

Once the initial charge is in place, it performs some checks, including the presence of a CPU with at least two cores.

It then proceeds to try and disable some features of Windows Defender while preventing its update.

Click fraud is carried out through Node.exe, implementation of the Node.js framework.

Divergent takes its name from the WinDivert tool , which is used to manipulate certain network packets and impersonate other devices (Android and iOS in particular).

Microsoft saw a spike in activity in early September.

There is talk of “thousands of machines” targeted in recent weeks, mainly in the United States (60%) and Europe (21% in the United Kingdom, 3% in France).

The Redmond firm notes the short lifespan (1 to 2 days) of domains from which the HTML application downloads the other components.

They see the possibility that Nodersok offers to make machines compromised proxies.

In other words, spread malware relay.