Samples of a new malware family called “Divergent” are using both NodeJS and WinDivert in a series of fileless attack campaigns.

Cisco Talos didn’t identify the exact delivery method for Divergent. Even so, its researchers observed that the samples they analyzed staged and stored configuration date on the registry like other fileless malware. They also noted that it used a key in the registry to achieve persistence.

It’s therefore not surprising that Divergent turned to the registry in order to create an HTML Application (HTA) loader. That resource’s purpose was to execute the malware each time the user logged on. It did this by adding an entry to the “HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun” registry key.

Upon execution, the malware initiated five anti-analysis checks against unwanted processes and modules indicative of security solutions. They were especially on the lookout for Windows Defender, as they came with the ability to disable various processes associated with Defender and Windows Updates.

Once those checks finished, the malware proceeded with the rest of its infection chain in order to pull down its various components. One module enabled Divergent to block anti-virus software from receiving updates, while another allowed the malware to perpetrate click fraud using WinDivert and NodeJS. Cisco Talos explained how in its research:

Like the anti-virus blocking component, the click fraud component makes use of the WinDivert library and therefore installs the necessary WinDivert DLL and driver in the same manner as bav01.js, described above. Additionally, the NodeJS executable and a NodeJS Socket.IO client named app.js are part of the installation process for this component.

A diagram of Divergent’s click fraud scheme. (Source: Cisco Talos)

Cisco Talos observed that Divergent is likely under development, a testament to the ever-evolving threat landscape. This reality serves as a reminder to organizations to protect themselves (Read more...)