Cisco Talos: There is a cybercrime new fileless malware on the wild, it’s dubbed Divergent. It exploits NodeJS and WinDivert
The cyber security experts: It uses the system registry to bypass anti-virus scanning, a registry key to maintain persistence and PowerShell to install
Moreover, according to the cyber security experts, the malware loader is currently under active development. Talos has observed multiple versions of it being used to install the Divergent. Cybercrime attempt to monetize these infections through the use of click fraud. It does relying heavily on the registry for staging and storage of configuration data, while avoiding more traditional on-access endpoint scanning of files on disk. It also uses a key in the registry to maintain persistence, and exploits PowerShell to install itself on the infected host. When first delivered and executed on a victim’s machine, the malware is in the portable executable (PE) format. Its first task, however, is to install itself to the system in a less suspicious form, namely as an HTML Application (HTA) that will load the malware from the registry.