Researchers from Cisco Talos recently discovered a new malware loader being used to deliver and infect systems using NodeJS as well as the legitimate open-source utility WinDivert.

The use of NodeJS is not something commonly seen across malware families, and appears as Living off the Land (LotL) attack.

What is Living off the Land (LotL) attack?

The concept of LotL is not new, and has been around for as long as 25 years: it consists of the weaponizing of system tools, usually not identified as malicious by AV solutions.

Fileless attacks, for example, are a subset of LotL attacks: using trusted off-the-shelf and preinstalled system tools, malware can easily carry out their work avoiding antimalware monitoring.

On Windows there are more than 100 system tools that can be used by cyber criminals for LotL attacks, but usually the most used are PowerShell and VB scripts.

The "Divergent" malware

The malware, discovered and analyzed by researchers from Cisco Talos, deliveres two very unusual, legitimate tools to infected machines:

  • Node.exe, the Windows implementation of Node.js framework, used by countless web applications
  • WinDivert, a network packet capture and manipulation utility

According with the Talos analysis, the malware uses a Node.exe with a valid digital signature, allowing a malicious JavaScript to operate within the context of a trusted process.
The JavaScript payload itself is relatively simple, with two purposes:

  • Connect back to the remote C&C
  • Receive HTTP requests to proxy back to it

Finally, the WinDivert packet capture library is used to intercepting packets and modify them in order to trying to evade IPS monitoring.

This kind of threat is under active development, constantly evolving:

The malware loader described is currently under active development. Talos has observed multiple versions of the loader being used to install the Divergent malware. Attackers are attempting to monetize these infections through the use of click fraud.
The threat landscape is constantly evolving as attackers test new techniques and methodologies to maximize their revenue generation capabilities.