Nodersok Description

Many cyber crooks are taking an interest in hacking techniques called LOLBins (Living-Off-the-Land Binaries). This is becoming increasingly popular because it allows cybercriminals to bypass anti-malware tools as the threatening campaigns are carried out through legitimate applications and services, which helps the operators remain under the radar. Recently, malware researchers have spotted a new threat that employs the LOLBins techniques – Nodersok. The authors of this threat have gone a step further and have made sure that these techniques are executed at every phase of the attack making the Nodersok a threat, which operates very silently.

Turns Compromised Machines into Proxy Servers

The creators of the Nodersok threat are using it to infect hosts and turn them into proxy servers by injecting them with a proxy script called Node.JS framework. It is not clear what they plan on doing with the infiltrated machines exactly, but it is likely that they may be used as a part of the fast-growing infrastructure of the creators of Nodersok or simply be employed in mass spam email campaigns.

Most Victims are Regular Users

The activity of the Nodersok is concentrated in the United States and Europe mainly. It has been reported that the victims are in the thousands already, which is rather impressive. Cybersecurity experts have estimated that 3% of the infected hosts belong to corporations, which means that almost all the PCs that have fallen victim to the Nodersok malware belong to regular users.

How the Attack is Carried Out

The Nodersok threat executes a few tasks as a part of its attack:

  • Corrupted advertisements deliver a '.hta' file, which is hosted on a genuine cloud service to the user.
  • If the user runs the file, the injected JavaScript code will trigger the download of a '.xsl' or a '.js' file.
  • Once the second file infiltrates the system, it will begin a decryption process, which will unlock a PowerShell command.
  • Next, the revealed PowerShell command will enable the threat to plant additional LOLBins on the host.

Additional LOLBins

If the Nodersok threat is successful and manages to download the extra LOLBins, the user may be in a upright bit of trouble as these tools include:

  • The previously mentioned Node.JS framework.
  • A module related to the Node.JS framework, which allows the operators to turn the host into a dormant proxy server.
  • A network packets capturing kit called Windivert.
  • A shellcode, which allows the attackers to gain administrator privileges on the infected host.
  • A PowerShell script, which makes sure that none of the Windows security tools are functioning as long as the Nodersok malware is present on the system.

The authors of the Nodersok threat take their security very seriously and make sure to wipe out their tracks every 2-3 days by replacing the domains, which host the extra JavaScript code.

The Nodersok malware is not a threat you can take lightly. Make sure you download and install a reputable anti-virus software suite, which will help you remove the Nodersok malware from your system safely.

Do You Suspect Your PC May Be Infected with Nodersok & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Nodersok as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.