skip to Main Content

Cybercrime: here it comes Divergent a new fileless malware

Cisco Talos: There is a cybercrime new fileless malware on the wild, it’s dubbed Divergent. It exploits NodeJS and WinDivert

There is a new fileless malware on the wild, it’s dubbed Divergent. Cybercrime use it to hit targets in United States and recently also in Europe. It has been unveiled by Cisco Talos cyber security experts. This threat uses NodeJS — a program that executes JavaScript outside of a web browser — as well as the legitimate open-source utility WinDivert to facilitate some of the functionality in the Divergent malware. The use of NodeJS is not something commonly seen across malware families. The observed malware campaigns associated with Divergent feature the use of persistence techniques most commonly associated with “fileless” malware, leaving behind few artifacts for researchers to look at. This malicious code can be leveraged by an attacker to target corporate networks and appears to be primarily designed to conduct click-fraud. It also features several characteristics that have been observed in other click-fraud malware, such as Kovter.

The cyber security experts: It uses the system registry to bypass anti-virus scanning, a registry key to maintain persistence and PowerShell to install

Moreover, according to the cyber security experts, the malware loader is currently under active development. Talos has observed multiple versions of it being used to install the Divergent. Cybercrime attempt to monetize these infections through the use of click fraud. It does relying heavily on the registry for staging and storage of configuration data, while avoiding more traditional on-access endpoint scanning of files on disk. It also uses a key in the registry to maintain persistence, and exploits PowerShell to install itself on the infected host. When first delivered and executed on a victim’s machine, the malware is in the portable executable (PE) format. Its first task, however, is to install itself to the system in a less suspicious form, namely as an HTML Application (HTA) that will load the malware from the registry.

Back To Top