Researchers from the Microsoft Defender Advanced Threat Protection (ATP) Research Team have confirmed that a sophisticated zombie threat has been targeting Windows users. Like the Great Duke Of Hell before it, the Nodersok attack adopts a living-off-the-land binaries “LOLBin” methodology to evade detection by hiding in plain sight. What makes Nodersok particularly interesting, and potentially more dangerous, is that it combines these LOLBins from the machine itself with third-party ones that it downloads. No malicious executable is ever written to disk, and a successful attack attempts to disable both Windows Updates and Windows Defender. Thousands of consumers across the U.S. and Europe have already been targeted by this Windows zombie attack. Organizations are also on the zombie attack radar, with industry sectors including education, finance, healthcare and retail affected.
What is known about the Windows Nodersok zombie attack?
According to Andrea Lelli, part of the Microsoft Defender Advanced Threat Protection (ATP) Research Team, Nodersok has been active for several weeks now and has already attacked “thousands of machines,” mostly located across the U.S. and Europe. The threat campaign was first spotted by Microsoft security researchers mid-July, courtesy of aberrant usage trends that were picked up by Microsoft Defender ATP telemetry. In early September, additional anomalies were noticed and a ten-fold increase in Nodersok activity recorded.
Just like Astaroth, the malware responsible for the Great Duke of Hell Windows attack in July, Nodersok uses legitimate binaries in an attempt to be invisible by hiding in plain sight on the machine being targeted. These living-off-the-land binaries, known as LOLBins, such as powershell.exe for example, legitimize threat activity as it is being executed by Windows processes.
The Nodersok zombie attack infection chain
“All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory,” Andrea Lelli said, “no malicious executable is ever written to the disk.”
According to the Cisco Talos research into the same malware campaign, the threat doesn’t end with the zombification of your computer. “This malware can be leveraged by an attacker to target corporate networks and appears to be primarily designed to conduct click-fraud,” said Edmund Brumaghin, a threat researcher with the Cisco Talos Intelligence Group. Brumaghin also revealed that the malware loader itself is still under active development, and there are multiple versions being used.
Fighting the Windows zombie apocalypse
You will be pleased to know that Microsoft has your back in the face of this particular zombie apocalypse. While attacks that exploit LOLBins are pretty smart from a technical perspective, they are not immune to detection as both Microsoft and Cisco Talos have aptly demonstrated. So, yes, the distributed network infrastructure behind Nodersok and the fact that it never writes any malicious executable to disk did combine to enable it to fly under the radar initially. But that cloak of invisibility was soon removed to reveal the zombie threat beneath. “Machine learning models in the Windows Defender Antivirus client generically detects suspicious obfuscation in the initial HTA file used in this attack,” Lelli said, “information like the process tree and behavior sequences are sent to the cloud, where behavior-based machine learning models classify files and identify potential threats.” And the tamper protection capabilities in Microsoft Defender ATP prevent the kind of system modifications that are used to disable Windows Defender Antivirus. The Cisco Advanced Malware Protection (AMP) Exploit Prevention engine also successfully stops this one dead (or maybe undead) in its tracks.
“Taking advantage of native Windows binaries is a very clever way to circumnavigate security, but it can be mitigated,” Jake Moore, cybersecurity specialist at ESET, says. Be it a malicious advert or a phishing email, the LOLBin zombie attack has to start somewhere, and a user has to click a link at some point. Some security solutions are better than others when it comes to detecting fileless malware that resides in memory only. If you happen to be employing such protection yourself then, “once the payload is executed, there is little to stop it,” Moore says, “so it is imperative that it’s located at the first hurdle.” That first hurdle is user awareness and education. “Companies which test their own employees’ cyber risk with simulated phishing emails can sometimes have a negative effect,” Moore says, “however, if it is carried out in a thoughtful way where no one will be vindicated, it can have some very positive effects and reduce the success of attacks such as this.”