{"id":89915,"date":"2019-09-26T10:34:41","date_gmt":"2019-09-26T17:34:41","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=89915"},"modified":"2025-06-30T00:28:56","modified_gmt":"2025-06-30T07:28:56","slug":"bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/","title":{"rendered":"Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">We\u2019ve discussed the challenges that <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/intelligence\/fileless-threats\">fileless threats<\/a> pose in security, and how Microsoft Defender Advanced Threat Protection (<a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/windows\/microsoft-defender-atp\">Microsoft Defender ATP<\/a>) employs <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/27\/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av\/\">advanced strategies<\/a> to defeat these sophisticated threats. Part of the slyness of fileless malware is their use of living-off-the-land techniques, which refer to the abuse of legitimate tools, also called living-off-the-land binaries (<a href=\"https:\/\/github.com\/LOLBAS-Project\/LOLBAS\/blob\/master\/README.md\">LOLBins<\/a>), that already exist on machines through which malware can persist, move laterally, or serve other purposes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But what happens when attackers require functionality beyond what\u2019s provided by standard LOLBins? A new malware campaign we dubbed Nodersok decided to bring its own LOLBins\u2014it delivered two very unusual, legitimate tools to infected machines:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Node.exe, the Windows implementation of the popular <a href=\"https:\/\/nodejs.org\/\">Node.js framework<\/a> used by countless web applications<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/reqrypt.org\/windivert.html\">WinDivert<\/a>, a powerful network packet capture and manipulation utility<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Like any LOLBin, these tools are not malicious or vulnerable; they provide important capabilities for legitimate use. It\u2019s not uncommon for attackers to download legitimate third-party tools onto infected machines (for example, <a href=\"https:\/\/attack.mitre.org\/software\/S0029\/\">PsExec<\/a> is often abused to run other tools or commands). However, Nodersok went through a long chain of fileless techniques to install a pair of very peculiar tools with one final objective: turn infected machines into zombie proxies.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While the file aspect of the attack was very tricky to detect, its behavior produced a visible footprint that stands out clearly for anyone who knows where to look. With its array of advanced defensive technologies, Microsoft Defender ATP, defeated the threat at numerous points of dynamic detection throughout the attack chain.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"attack-overview\">Attack overview<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The Nodersok campaign has been pestering thousands of machines in the last several weeks, with most targets located in the United States and Europe. The majority of targets are consumers, but about 3% of encounters are observed in organizations in sectors like education, professional services, healthcare, finance, and retail.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"390\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig1aa-Nodersok-distribution-by-country.png\" alt=\"Distribution of Nodersok\u2019s enterprise targets by country and by sector\" class=\"wp-image-89944\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig1aa-Nodersok-distribution-by-country.png 400w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig1aa-Nodersok-distribution-by-country-300x293.png 300w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"390\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig1bb-Nodersok-distribution-by-sector.png\" alt=\"Distribution of Nodersok\u2019s enterprise targets by country and by sector\" class=\"wp-image-89945\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig1bb-Nodersok-distribution-by-sector.png 400w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig1bb-Nodersok-distribution-by-sector-300x293.png 300w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\">&nbsp; <\/p>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 1. Distribution of Nodersok\u2019s enterprise targets by country and by sector<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar. We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry. In the days that followed, more anomalies stood out, showing up to a ten-fold increase in activity:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"300\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/bFig2-Nodersok-activity.png\" alt=\"Trending of Nodersok activity from August to September, 2019\" class=\"wp-image-89947\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/bFig2-Nodersok-activity.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/bFig2-Nodersok-activity-300x113.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/bFig2-Nodersok-activity-768x288.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 2. Trending of Nodersok activity from August to September, 2019<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">After a process of tracking and analysis, we pieced together the infection chain:<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig3c-Nodersok-attack-chain.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1174\" height=\"1117\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig3c-Nodersok-attack-chain.png\" alt=\"Nodersok attack chain\" class=\"wp-image-89937\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig3c-Nodersok-attack-chain.png 1174w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig3c-Nodersok-attack-chain-300x285.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig3c-Nodersok-attack-chain-768x731.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig3c-Nodersok-attack-chain-1024x974.png 1024w\" sizes=\"auto, (max-width: 1174px) 100vw, 1174px\" \/><\/a><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 3. Nodersok attack chain<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Like the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/\">Astaroth<\/a> campaign, every step of the infection chain only runs legitimate LOLBins, either from the machine itself (<em>mshta.exe<\/em>, <em>powershell.exe<\/em>) or downloaded third-party ones (<em>node.exe<\/em>, <em>Windivert.dll\/sys<\/em>). All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This infection chain was consistently observed in several machines attacked by the latest variant of Nodersok. Other campaigns (possibly earlier versions) with variants of this malware (whose main JavaScript payload was named <em>05sall.js<\/em> or <em>04sall.js<\/em>) were observed installing malicious encoded PowerShell commands in the registry that would end up decoding and running the final binary executable payload.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"initial-access-complex-remote-infrastructure\">Initial access: Complex remote infrastructure<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The attack begins when a user downloads and runs an HTML application (HTA) file named <em>Player1566444384.hta<\/em>. The digits in the file name differ in every attack. Analysis of Microsoft Defender ATP telemetry points to compromised advertisements as the most likely infection vector for delivering the HTA files. The mshta.exe tool (which runs when an HTA file runs) was launched with the -embedding command-line parameter, which typically indicates that the launch action was initiated by the browser.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Furthermore, immediately prior to the execution of the HTA file, the telemetry always shows network activity towards suspicious advertisement services (which may vary slightly across infections), and a consistent access to legitimate content delivery service Cloudfront. Cloudfront is not a malicious entity or service, and it was likely used by the attackers exactly for that reason: because it\u2019s not a malicious domain, it won\u2019t likely raise alarms. Examples of such domains observed in several campaigns are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><em>d23cy16qyloios[.]cloudfront[.]net<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em> d26klsbste71cl[.]cloudfront [.]net<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>d2d604b63pweib[.]cloudfront [.]net<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>d3jo79y1m6np83[.]cloudfront [.]net<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>d1fctvh5cp9yen[.]cloudfront [.]net<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>d3cp2f6v8pu0j2[.]cloudfront[.]net<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>dqsiu450ekr8q[.]cloudfront [.]net<\/em><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s possible that these domains were abused to deliver the HTA files without alerting the browser. Another content delivery service abused later on in the attack chain is Cdn77. Some examples of observed URLs include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><em>hxxps:\/\/1292172017[.]rsc [.]cdn77 [.]org\/images\/trpl[.]png<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>hxxps:\/\/1292172017[.]rsc.cdn77[.]org\/imtrack\/strkp[.]png<\/em><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This same strategy was also used by the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/07\/08\/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack\/\">Astaroth<\/a> campaign, where the malware authors hosted their malware on the legitimate storage.googleapis.com service.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"first-stage-javascript\">First-stage JavaScript<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When the HTA file runs, it tries to reach out to a randomly named domain to download additional JavaScript code. The domains used in this first stage are short-lived: they are registered and brought online and, after a day or two (the span of a typical campaign), they are dropped and their related DNS entries are removed. This can make it more difficult to investigate and retrieve the components that were delivered to victims. Examples of domains observed include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><em>Du0ohrealgeek[.]org<\/em> &#8211; active from August 12 to 14<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>Hi5urautopapyrus[.]org<\/em> &#8211; active from April 21 to 22<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>Ex9ohiamistanbul[.]net<\/em> &#8211; active from August 1 to 2<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>Eek6omyfilmbiznetwork[.]org<\/em> &#8211; active from July 23 to 24<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This stage is just a downloader: it tries to retrieve either a JavaScript or an extensible style language (XSL) file from the command-and-control (C&amp;C) domain. These files have semi-random names like <em>1566444384.js<\/em> and <em>1566444384.xsl<\/em>, where the digits are different in every download. After this file is downloaded and runs, it contacts the remote C&amp;C domain to download an RC4-encrypted file named 1566444384.mp4 and a decryption key from a file named <em>1566444384.flv<\/em>. When decrypted, the MP4 file is an additional JavaScript snippet that starts PowerShell:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"584\" height=\"41\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig35-PowerShell.png\" alt=\"screenshot\" class=\"wp-image-89927\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig35-PowerShell.png 584w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig35-PowerShell-300x21.png 300w\" sizes=\"auto, (max-width: 584px) 100vw, 584px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Interestingly, it hides the malicious PowerShell script in an environment variable named \u201cdeadbeef\u201d (first line), then it launches PowerShell with an encoded command (second line) that simply runs the contents of the \u201cdeadbeef\u201d variable. This trick, which is used several times during the infection chain, is usually employed to hide the real malicious script so that it does not appear in the command-line of a PowerShell process.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"second-stage-powershell\">Second-stage PowerShell<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Nodersok\u2019s infection continues by launching several instances of PowerShell to download and run additional malicious modules. All the modules are hosted on the C&amp;C servers in RC4-encrypted form and are decrypted on the fly before they run on the device. The following steps are perpetrated by the various instances of PowerShell:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Download module.avi, a module that attempts to:\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Disable Windows Defender Antivirus<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Disable Windows updates<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Run binary shellcode that attempts elevation of privilege by using <a href=\"https:\/\/attack.mitre.org\/techniques\/T1191\/\">auto-elevated COM interface<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Download additional modules <em>trpl.png<\/em> and <em>strkp.png<\/em> hosted on a Cdn77 service<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Download legitimate <em>node.exe<\/em> tool from the official <em>nodejs.org<\/em> website<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Drop the WinDivert packet capture library components <em>WinDivert.dll<\/em>, <em>WinDivert32.sys<\/em>, and <em>WinDivert64.sys<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\">Execute a shellcode that uses WinDivert to filter and modify certain outgoing packets<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Finally, drop the JavaScript payload along with some Node.js modules and libraries required by it, and run it via node.exe<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This last JavaScript is the actual final payload written for the Node.js framework that turns the device into a proxy. This concludes the infection, at the end of which the network packet filter is active and the machine is working as a potential proxy zombie. When a machine turns into a proxy, it can be used by attackers as a relay to access other network entities (websites, C&amp;C servers, compromised machines, etc.), which can allow them to perform stealthy malicious activities.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"node-js-based-proxy-engine\">Node.js-based proxy engine<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This is not the first threat to abuse Node.js. Some cases have been observed in the past (for example <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/01\/ransom32-look-at-the-malicious-package\/\">this ransomware<\/a> from early 2016). However, using Node.js is a peculiar way to spread malware. Besides being clean and benign, <em>Node.exe<\/em> also has a valid digital signature, allowing a malicious JavaScript to operate within the context of a trusted process. The JavaScript payload itself is relatively simple: it only contains a set of basic functions that allows it to act as a proxy for a remote entity.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"509\" height=\"799\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig4-Nodersok-proxy.png\" alt=\"A portion of the malicious Node.js-based proxy\" class=\"wp-image-89920\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig4-Nodersok-proxy.png 509w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig4-Nodersok-proxy-191x300.png 191w\" sizes=\"auto, (max-width: 509px) 100vw, 509px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 4. A portion of the malicious Node.js-based proxy<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The code seems to be still in its infancy and in development, but it does work. It has two purposes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Connect back to the remote C&amp;C, and<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Receive HTTP requests to proxy back to it<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">It supports the <a href=\"https:\/\/en.wikipedia.org\/wiki\/SOCKS#SOCKS4a\">SOCKS4A protocol<\/a>. While we haven\u2019t observed network requests coming from attackers, we wrote what the Node.js-based C&amp;C server application may look like: a server that sends HTTP requests to the infected clients that connect back to it, and receives the responses from said clients. we slightly modified the malicious JavaScript malware to make it log meaningful messages, ran a JavaScript server, ran the JavaScript malware, and it proxied HTTP requests as expected:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"2239\" height=\"716\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig5-Debug.png\" alt=\"The debug messages are numbered to make it easier to follow the execution flow\" class=\"wp-image-89921\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig5-Debug.png 2239w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig5-Debug-300x96.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig5-Debug-768x246.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig5-Debug-1024x327.png 1024w\" sizes=\"auto, (max-width: 2239px) 100vw, 2239px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 5.The debug messages are numbered to make it easier to follow the execution flow<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The server starts, then the client starts and connects to it. In response, the server sends a HTTP request (using the Socks4A protocol) to the client. The request is a simple HTTP GET. The client proxies the HTTP request to the target website and returns the HTTP response (200 OK) and the HTML page back to the server. This test demonstrates that it\u2019s possible to use this malware as a proxy.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"05sall-js-a-variant-of-nodersok\"><em>05sall.js<\/em>: A variant of Nodersok<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As mentioned earlier, there exist other variants of this malware. For example, we found one named <em>05sall.js<\/em> (possibly an earlier version). It\u2019s similar in structure to the one described above, but the payload was not developed in Node.js (rather it was an executable). Furthermore, beyond acting as a proxy, it can run additional commands such as update, terminate, or run shell commands.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1098\" height=\"1168\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig6-Nodersok-commands.png\" alt=\"The commands that can be processed by the 05sall.js variant.\" class=\"wp-image-89922\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig6-Nodersok-commands.png 1098w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig6-Nodersok-commands-282x300.png 282w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig6-Nodersok-commands-768x817.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig6-Nodersok-commands-963x1024.png 963w\" sizes=\"auto, (max-width: 1098px) 100vw, 1098px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 6. The commands that can be processed by the 05sall.js variant.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The malware can also process configuration data in JSON format. For example, this configuration was encoded and stored in the registry in an infected machine:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1347\" height=\"77\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig7-configuration-data.png\" alt=\"Configuration data exposing component and file names\" class=\"wp-image-89923\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig7-configuration-data.png 1347w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig7-configuration-data-300x17.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig7-configuration-data-768x44.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig7-configuration-data-1024x59.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig7-configuration-data-1335x77.png 1335w\" sizes=\"auto, (max-width: 1347px) 100vw, 1347px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 7. Configuration data exposing component and file names<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The configuration is an indication of the modular nature of the malware. It shows the names of two modules being used in this infection (named <em>block_av_01<\/em> and <em>all_socks_05<\/em>).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-windivert-network-packet-filtering\">The WinDivert network packet filtering<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">At this point in the analysis, there is one last loose end: what about the WinDivert packet capture library? We recovered a shellcode from one of the campaigns. This shellcode is decoded and run only in memory from a PowerShell command. It installs the following network filter (in a language recognized by WinDivert):<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"776\" height=\"52\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig75-network-filter.png\" alt=\"screenshot\" class=\"wp-image-89928\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig75-network-filter.png 776w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig75-network-filter-300x20.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig75-network-filter-768x51.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig75-network-filter-767x52.png 767w\" sizes=\"auto, (max-width: 776px) 100vw, 776px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This means Nodersok is intercepting packets sent out to initiate a TCP connection. Once the filter is active, the shellcode is interested only in TCP packets that match the following specific format:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1288\" height=\"246\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig8-TCP-headers.png\" alt=\"Format of TCP packets that Nodersok is interested in\" class=\"wp-image-89924\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig8-TCP-headers.png 1288w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig8-TCP-headers-300x57.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig8-TCP-headers-768x147.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig8-TCP-headers-1024x196.png 1024w\" sizes=\"auto, (max-width: 1288px) 100vw, 1288px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 8. Format of TCP packets that Nodersok is interested in<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The packet must have standard Ethernet, IP, and 20 bytes TCP headers, plus an additional 20 bytes of TCP extra options. The options must appear exactly in the order shown in the image above:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><em>02 04 XX XX<\/em> \u2013 Maximum segment size<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>01<\/em> \u2013 No operation<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>03 03 XX<\/em> \u2013 Windows Scale<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>04 02<\/em> \u2013 SACK permitted<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>08 0A XX XX XX XX XX XX XX XX<\/em> \u2013 Time stamps<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If packets matching this criterion are detected, Nodersok modifies them by moving the \u201cSACK Permitted\u201d option to the end of the packet (whose size is extended by four bytes), and replacing the original option bytes with two \u201cNo operation\u201d bytes.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1291\" height=\"251\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig9-Nodersok-TCP-headers.png\" alt=\"The format of TCP packets after Nodersok has altered it: the \u201cSACK permitted\u201d bytes (in red) have been moved to the end of the packet, and their original location has been replaced by \u201cNo operation\u201d (in yellow)\n\n\" class=\"wp-image-89925\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig9-Nodersok-TCP-headers.png 1291w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig9-Nodersok-TCP-headers-300x58.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig9-Nodersok-TCP-headers-768x149.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig9-Nodersok-TCP-headers-1024x199.png 1024w\" sizes=\"auto, (max-width: 1291px) 100vw, 1291px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 9. The format of TCP packets after Nodersok has altered it: the \u201cSACK permitted\u201d bytes (in red) have been moved to the end of the packet, and their original location has been replaced by \u201cNo operation\u201d (in yellow)<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s possible that this modification benefits the attackers; for example, it may help evade some HIPS signatures.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"stopping-the-nodersok-campaign-with-microsoft-defender-atp\">Stopping the Nodersok campaign with Microsoft Defender ATP<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Both the distributed network infrastructure and the advanced fileless techniques allowed this campaign fly under the radar for a while, highlighting how having the right defensive technologies is of utmost importance in order to detect and counter these attacks in a timely manner.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If we exclude all the clean and legitimate files leveraged by the attack, all that remains are the initial HTA file, the final Node.js-based payload, and a bunch of encrypted files. Traditional file-based signatures are inadequate to counter sophisticated threats like this. We have known this for quite a while, that\u2019s why we have invested a good deal of resources into developing powerful dynamic detection engines and delivering a state-of-the-art defense-in-depth through Microsoft Defender ATP:<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig10c-Microsoft-Defender-ATP-defense-against-Nodersok.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1168\" height=\"1117\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Fig10c-Microsoft-Defender-ATP-defense-against-Nodersok.png\" alt=\" Microsoft Defender ATP protections against Nodersok\" class=\"wp-image-89938\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig10c-Microsoft-Defender-ATP-defense-against-Nodersok.png 1168w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig10c-Microsoft-Defender-ATP-defense-against-Nodersok-300x287.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig10c-Microsoft-Defender-ATP-defense-against-Nodersok-768x734.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Fig10c-Microsoft-Defender-ATP-defense-against-Nodersok-1024x979.png 1024w\" sizes=\"auto, (max-width: 1168px) 100vw, 1168px\" \/><\/a><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 10. Microsoft Defender ATP protections against Nodersok<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Machine learning models in the Windows Defender Antivirus client generically detects suspicious obfuscation in the initial HTA file used in this attack. Beyond this immediate protection, behavioral detection and containment capabilities can spot anomalous and malicious behaviors, such as the execution of scripts and tools. When the behavior monitoring engine in the client detects one of the more than 500 attack techniques, information like the process tree and behavior sequences are sent to the cloud, where behavior-based machine learning models classify files and identify potential threats.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Meanwhile, scripts that are decrypted and run directly in memory are exposed by Antimalware Scan Interface (<a href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2015\/06\/09\/windows-10-to-offer-application-developers-new-malware-defenses\/?source=mmpc\">AMSI<\/a>) instrumentation in scripting engines, while launching PowerShell with a command-line that specifies encoded commands is defeated by command-line scanning. <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Microsoft-Defender-ATP\/Tamper-protection-in-Microsoft-Defender-ATP\/ba-p\/389571\">Tamper protection<\/a> in Microsoft Defender ATP protects against system modifications that attempt to disable Windows Defender Antivirus.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These multiple layers of protection are part of the threat and malware prevention capabilities in Microsoft Defender ATP. The complete endpoint protection platform provides multiple capabilities that empower security teams to defend their organizations against attacks like Nodersok. <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/overview-attack-surface-reduction\">Attack surface reduction<\/a> shuts common attack surfaces. <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/next-gen-threat-and-vuln-mgt\">Threat and vulnerability management<\/a>, <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/overview-endpoint-detection-response\">endpoint detection and response<\/a>, and <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/automated-investigations\">automated investigation and remediation<\/a> help organizations detect and respond to cyberattacks. <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/microsoft-threat-experts\">Microsoft Threat Experts<\/a>, Microsoft Defender ATP\u2019s managed detection and response service, further helps security teams by providing expert-level monitoring and analysis.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/technology\/threat-protection\">Microsoft Threat Protection<\/a>, these endpoint protection capabilities integrate with the rest of Microsoft security solutions to deliver comprehensive protection for comprehensive security for identities, endpoints, email and data, apps, and infrastructure.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><em>Andrea Lelli<\/em><\/strong><br><em>Microsoft Defender ATP Research<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"talk-to-us\">Talk to us<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Questions, concerns, or insights on this story? Join discussions at the&nbsp;<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Microsoft-Defender-ATP\/bg-p\/MicrosoftDefenderATPBlog\">Microsoft Defender ATP community<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Read all <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/microsoft-security-intelligence\/\">Microsoft security intelligence blog posts<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Follow us on Twitter <a href=\"https:\/\/twitter.com\/MsftSecIntel\" target=\"_blank\" rel=\"noopener\"><strong>@MsftSecIntel<\/strong><\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new fileless malware campaign we dubbed Nodersok delivers two very unusual LOLBins to turn infected machines into zombie proxies.<\/p>\n","protected":false},"author":68,"featured_media":89930,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","_alt_title":"","ms-ems-related-posts":[89592,89764,89667],"footnotes":""},"post_tag":[3898],"threat-intelligence":[3727,3739],"content-type":[3663],"job-role":[],"product":[],"topic":[3687],"coauthors":[1968],"class_list":["post-89915","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-elevation-of-privilege","threat-intelligence-attacker-techniques-tools-and-infrastructure","threat-intelligence-vulnerabilities-and-exploits","content-type-research","topic-threat-intelligence","review-flag-1694638265-576","review-flag-1694638265-310","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-4-1694638266-512","review-flag-5-1694638266-171","review-flag-6-1694638266-691","review-flag-7-1694638266-851","review-flag-8-1694638266-352","review-flag-9-1694638266-118","review-flag-alway-1694638263-571","review-flag-disable","review-flag-integ-1694638263-281","review-flag-machi-1694638272-641","review-flag-new-1694638263-340"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"A new fileless malware campaign we dubbed Nodersok delivers two very unusual LOLBins to turn infected machines into zombie proxies.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-09-26T17:34:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-30T07:28:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Nodersok-social-2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1358\" \/>\n\t<meta property=\"og:image:height\" content=\"711\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Defender Security Research Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Nodersok-social-2.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Defender Security Research Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Defender Security Research Team\"}],\"headline\":\"Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware\",\"datePublished\":\"2019-09-26T17:34:41+00:00\",\"dateModified\":\"2025-06-30T07:28:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/\"},\"wordCount\":2478,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Nodersok-blog.jpg\",\"keywords\":[\"Elevation of privilege\"],\"articleSection\":[\"AI and machine learning\",\"Cybersecurity\",\"Endpoint security\",\"Microsoft Defender Advanced Threat Protection\",\"Microsoft security intelligence\",\"Security Intelligence\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/\",\"name\":\"Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Nodersok-blog.jpg\",\"datePublished\":\"2019-09-26T17:34:41+00:00\",\"dateModified\":\"2025-06-30T07:28:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Nodersok-blog.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Nodersok-blog.jpg\",\"width\":8832,\"height\":5894},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/person\/060b835777058efc81d6828a64820f98\",\"name\":\"Microsoft Security Threat Intelligence - Editor\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g52243f56b7f8688616d4ca12dc0148e2\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g\",\"caption\":\"Microsoft Security Threat Intelligence - Editor\"},\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/eravena\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/","og_locale":"en_US","og_type":"article","og_title":"Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware | Microsoft Security Blog","og_description":"A new fileless malware campaign we dubbed Nodersok delivers two very unusual LOLBins to turn infected machines into zombie proxies.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/","og_site_name":"Microsoft Security Blog","article_published_time":"2019-09-26T17:34:41+00:00","article_modified_time":"2025-06-30T07:28:56+00:00","og_image":[{"width":1358,"height":711,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Nodersok-social-2.png","type":"image\/png"}],"author":"Microsoft Defender Security Research Team","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Nodersok-social-2.png","twitter_misc":{"Written by":"Microsoft Defender Security Research Team","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/","@type":"Person","@name":"Microsoft Defender Security Research Team"}],"headline":"Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware","datePublished":"2019-09-26T17:34:41+00:00","dateModified":"2025-06-30T07:28:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/"},"wordCount":2478,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Nodersok-blog.jpg","keywords":["Elevation of privilege"],"articleSection":["AI and machine learning","Cybersecurity","Endpoint security","Microsoft Defender Advanced Threat Protection","Microsoft security intelligence","Security Intelligence"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/","name":"Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Nodersok-blog.jpg","datePublished":"2019-09-26T17:34:41+00:00","dateModified":"2025-06-30T07:28:56+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Nodersok-blog.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Nodersok-blog.jpg","width":8832,"height":5894},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/person\/060b835777058efc81d6828a64820f98","name":"Microsoft Security Threat Intelligence - Editor","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g52243f56b7f8688616d4ca12dc0148e2","url":"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g","caption":"Microsoft Security Threat Intelligence - Editor"},"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/eravena\/"}]}},"bloginabox_animated_featured_image":null,"bloginabox_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/89915","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=89915"}],"version-history":[{"count":1,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/89915\/revisions"}],"predecessor-version":[{"id":140752,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/89915\/revisions\/140752"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/89930"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=89915"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/post_tag?post=89915"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=89915"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=89915"},{"taxonomy":"job-role","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/job-role?post=89915"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/product?post=89915"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=89915"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=89915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}