In 2019, a new strain of fileless malware was detected by the Microsoft Defender ATP team. The malware called Nodersok by the Microsoft team or Divergent by Cisco is capable of downloading and installing a copy of the Node.js framework and to co-opt infected computers as proxies that aid in perpetuating click frauds.
The Nodersok malware is distributed through malicious ads that once clicked, forcibly download HTML applications on a user’s computer, thus instigating a multi-level infection process that involves MS Excel, PowerShell scripts, and JavaScript. The PowerShell scripts eventually aid in the downloading of the Nodersok malware.
What Does the Nodersok Malware Do?
The Nodersok malware is made up of several components, each of which is has a role to play in the infection process. The first component is the PowerShell module, which performs the crucial role of disabling any anti-malware protections, including Windows Defender and Windows Update. The second component elevates the malware permissions to a SYSTEM level, a strategy that gives Noderstok free reign in the victim’s computer.
The other two components are the Node.js and Windows Packet Divert (WinDivert). These apps are found on most Windows PC and are not malicious in any way, but the Nodersok malware is capable of using them for capturing and interacting with network packets and for running JavaScript on web servers.
Using these attack strategies, the malware is able to zombify infected computers and turn them into proxies that can be used as relay servers designed to provide cybercriminals with unprecedented levels of access and control on infected machines.
How Do I Know That I Have the Nodersok Virus?
Detecting the Nodersok malware is no walk in the park, given how stealthy the virus can be. But there are symptoms that you can look out for. These symptoms include a reduced performance, unresponsiveness, and an explained spike in network activities. You can also monitor the processes that are running on your PC. If they are suspicious and consuming too much computing resources, follow up on their location by right-clicking to open the file location.
How to Remove Nodersok Malware
Removing the Nodersok malware is easy as the Microsoft team has already identified it as a threat and have taken measures to patch the exploits that the malware relies on to achieve its nefarious goals. Microsoft has also informed all its security partners (antivirus software vendors) of the new kid in the block. Thus, all that you need to do to get rid of the Nodersok malware is to deploy a powerful anti-malware software such as Outbyte Antivirus. You also need to download the latest Windows updates.
While the Windows updates will prevent future infections, they are not capable of removing an active one, and that is why you need to both update your device and scan it at the same time.
When using the anti-malware, it is best to run your Windows device on Safe Mode, which is a barebones version of Windows that runs only the default settings and apps. In other words, Safe Mode isolates all other apps, except Windows apps, making it far easier to troubleshoot any performance issues. Here are the steps to get to Safe Mode on a Windows 10/11 computer:
- Press the Windows Start button and navigate to Settings > Update & Security > Recovery.
- Under Advanced startup, select Restart now.
- From the Choose an Option screen that appears after your computer restarts, select Troubleshoot > Advanced options > Startup Settings > Restart.
- After your computer restarts, press F5 to select Safe Mode with Networking.
Now that you are in Safe Mode with Networking, you can use the internet to download the anti-malware.
Another utility tool that will help you get rid of the Nodersok malware is a PC repair tool. It will make it easier for you to monitor network activity on your PC. If it spikes too much, then you have a reason to suspect that something is up.
Even after cleaning and scanning your computer, you still need to use other recovery tools to make sure that the threat posed by the Nodersok malware has been dealt with completely.
System Restore
Do you have a restore point on your computer? If so, you should use it to undo any problematic changes to your Windows apps, settings, system files, and configuration.
To use the System Restore option, take the following steps:
- Into the search box, type ‘create a restore point’.
- Select the first result from this search.
- On the System Properties app, go to the System Protection tab, and click System Restore.
- Choose a restore point.
- Follow the on-screen directions to complete the process.
At some point during the system restore process, you will be presented with a list of the apps, settings, and updates that will no longer be available once the system restore process is complete. Make sure that the HTA file that was used to instigate the Noderstok infestation makes it to the list.
The other recovery option that you might want to consider using is the Refresh option. It lets you reinstall Windows with the option of keeping your files and settings.
How to refresh a Windows 10/11 computer:
- Press the Windows Start button and navigate to Settings > Change PC settings.
- Click Update and Recovery, and then select Recovery.
- Under Refresh your PC with affecting your files, select Get started.
- Follow the on-screen directions to complete the process.
How to Keep Your Computer Safe from Nodersok Malware
At its peak, the Nodersok malware was able to infect millions of devices in the US and Europe. Its primary means of infiltration is through malicious ads. So, if you could avoid them by not visiting any unsecure sites or downloading email attachments from unfamiliar sources, then there you will be good.
You also need to arm yourself with an anti-malware tool because even though the Nodersok malware is easy to remove, there are many malware threats out there and you never know when they might infect your PC.
If you have any questions, suggestions or comments about Nodersok malware, feel free to post them in the comment section below.