Divergent “fileless” NodeJS malware used for click-fraud

Attackers are using a “fileless” malware dubbed Divergent to generate revenue via click-fraud. Divergent further uses NodeJS and a WinDivert utlility to facilitate the malware attack.

Cisco Talos researchers discovered the new malware while analyzing data from another malware loader used to deliver and infect systems with the Divergent malware.

Talos noted the threat uses NodeJS, a JavaScript runtime environment and program used to execute JavaScript outside of a web browser.

“The use of NodeJS is not something commonly seen across malware families,” Talos warned in the blog post.

Divergent also uses an open-source utility WinDivert, used to sniff network packets on Windows systems and allows user-mode apps to capture, modify or drop network packets.

The Talos researchers also found attackers use Divergent to generate revenue via click-fraud and also uses persistence techniques, commonly used by fileless malware. For instance, the malware does not leave behind many artifacts or files that can be analyzed after the attack.

The researchers also found Divergent to be similar to Kovter, another malware used for click-fraud.

As noted in the report, Talos said there are two main components of the threat. In the first part, the malware receives and executes commands from a command-and-control (C2) system. The other part is the malware executes external component scripts. In each case, the configuration is stored in the registry in JSON format.

Read more about the threat in the Talos report, to include technical analysis details on the malware loader and components.