Microsoft has warned that thousands of Windows computers around the world have been affected by a new strain of malware that downloads and installs a copy of the widely used framework Node.js in order to convert infected systems into agents and to lead scams through Clicks.
The malware, called Nodersok in the Microsoft report and “Divergent” in the Cisco Talus report, was discovered during the summer and distributed through malicious ads that forcibly downloaded HTA (HTML) files on computers of the users.
The malware itself also has several components, each with its own role, and there is a PowerShell unit that attempts to disable Windows Defender and Windows Update, and there is a component to enhance system-level malware permissions.
According to reports from Microsoft and Cisco, the malware uses WinDivert and Node.js on infected hosts to turn them into agents to perform malicious activities.
Microsoft claims that malware turns infected hosts into agents that can transmit malicious data, while Cisco claims that malware uses infected hosts for click-based fraud.
Malware owners Nodersok can distribute other units to perform additional tasks at any time or even to distribute secondary malware, such as ransomware, or banking Trojans.
To prevent infection, Microsoft advises users not to read HTA files on their system, especially if they do not know the exact source of the files.
Microsoft has confirmed that Nodersok has infected thousands of devices in recent weeks. The company said most injuries occurred this month, affecting users in the United States and the European Union.