The malware itself is listed as Divergent. On the users’ computers, the malicious code came through corresponding scripts, which were either integrated into websites via advertising networks or insecure backends. The code itself will then nest in the main memory and avoid writing files to the hard disk or SSD – because this would mean that existing virus scanners would quickly become aware of the unexpected activities. Instead, the malicious code gets out of RAM and loads various components from here as well.

These include, among others, the Node.js framework, which makes it possible to get javascript scripts running outside of the browser. The malware also relies on WinDivert, an open source tool for intercepting and modifying data packets in networks. Reloaded components then ensure, among other things, that active virus scanners are switched off as far as possible, before eventually writing something into the file system.

Always up to date

The malware modules on the computer then ensure that the computer can serve as a proxy system for various tasks, which then bring the operators money. Among other things, they perform click fraud. However, other activities may already have taken place – after all, traces of malware can be traced back to last February.

Accordingly, it is not a big disadvantage for the operator that the malicious code after switching off the computer is no longer available – because it ensures that basically only current variants are used, which always do the tasks currently pending and not one Pursue employment that has long since stopped contributing. The analysis by the security experts now makes it possible to insert suitable signatures into the AV databases – but it should soon come to the distribution of new versions that are no longer recognized directly.

Via | Divergent