Divergent uses existing programs to achieve its malicious goals, such as those already present in Windows or downloaded from third parties.
Talos added that the use of NodeJS is not something commonly seen across malware families, which makes Divergent an interesting development.
However, it shares many similarities with other popular fileless malware families, including Kovter.
How it works
“When first delivered and executed on a victim’s machine, the malware is in the portable executable (PE) format. Its first task, however, is to install itself to the system in a less suspicious form, namely as an HTML Application (HTA) that will load the malware from the registry,” said Talos.
Once installed, a series of events occur:
- These tools include the ability to disable Windows Defender, attain more control of the PC, and create a proxy.
Talos believes that the malware was designed for typical cybercrime rather than for government-sanctioned attacks.
It added that Divergent was probably designed to be used predominantly for click fraud, using the computers of everyday European and US consumers to increase ad revenue.