Microsoft: New Nodersok malware has infected thousands of PCs
New Nodersok malware installs Node.js to turn systems into proxies, perform click-fraud. Thousands of Windows computers across the world have been infected with a new strain of malware that downloads and installs a copy of the Node.js framework to convert infected systems into proxies and perform click-fraud. The malware, named Nodersok (in a Microsoft report ) and Divergent (in a Cisco Talos report ), was first spotted over the summer, distributed via malicious ads that forcibly downloaded HTA (HTML application) files on users' computers. Users who found and ran these HTA files started a multi-stage infection process involving Excel, JavaScript, and PowerShell scripts that eventually downloaded and installed the Nodersok malware. The malware itself has multiple components, each with its own role. There's a PowerShell module that tries to disable Windows Defender and Windows Update, and there's a component for elevating the malware's permissions to SYSTEM level. But...