But the most terrible thing is Nodersok contains two components which are legitimate apps,WinDivert and Node.js. WinDivert is very popular among network engineers for capturing and interacting with network packets. Node.js is a well-known developer tool for running JavaScript on web servers.These two legitimate apps use to start a SOCKS proxy on infected hosts.

According to the researchers these proxies perform click-fraud and deploy malicious traffic on infected hosts.And also Nodersok’s creators could, at any point, deploy other modules to perform additional tasks, or even deploy secondary malware payloads like ransomware or banking Trojans.

Microsoft and Cisco warn users to not to run unknown HTA files they find on their computers.While Windows Defender should be able to identify and block Nodersok, the malware is a bit slippery because it leverages legitimate infrastructure, according to Microsoft.Although this malware uses legitimate apps and make harder for classic signature-based antivirus programs to detect.