A newly discovered strain of malware transforms PCs into what Microsoft ominously calls “zombie proxies” using otherwise legitimate programs, and the company claims it’s infected thousands of computers across the U.S. and Europe.
Microsoft and Cisco’s Talos researchers both released reports this week that outlined this cyber threat, which the companies call Nodersok and “Divergent” respectively.
“All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” a Microsoft blog post reads. Because of that, cybersecurity experts call these attacks using these methods “fileless” campaigns.
After the malware disables Windows Defender, which explains how it’s avoided tripping the anti-virus software for so long, and can take control of a PC, however, Microsoft and Cisco researchers are divided on its ultimate objective. Microsoft believes attackers use this proxy to access other networks and “perform stealthy malicious activities. Meanwhile, Cisco Talos argues the malware shares several characteristics with other viruses designed to conduct click-fraud, a tactic that cost advertisers an estimated $19 billion last year alone according to Forbes.
Either way, Microsoft states that the campaign has infected thousands of machines, with most attacks conducted this month and targeted at consumers. Both companies claim their anti-virus software has been updated to detect this malware strain moving forward.
These reports come just months after the National Security Agency urged users to update their Windows machines in the wake of a critical security vulnerability known as BlueKeep, which Microsoft patched back in May.