A group of hackers dubbed CodeFork have launched a campaign that features advanced file-less evasion and persistence techniques, as well as a new module that mines Monero cryptocurrency.
According to the Radware Malware Research Team, the group leverages these infections to sell services such as spreading spam, worms and downloaders (and possibly information stealers). A hallmark is that they’re difficult to trace.
“CodeFork is a cautious group that invests in stealth, usually sneaking under the radar of traditional defense systems such as sandboxing, mail attachment scanners, IDS/IPS, secure web gateways and various endpoint protection solutions,” Radware said, in an analysis. “They take advantage of Window OS executables for the installation process, leaving no tracks on the disk.”
In the current campaign, ultimately, the payload is a customized version of the Gamarue malware. Gamarue is a modular baddie that, in its basic setup, is simply a downloader. However, in the latest campaign it’s been seen fetching other pieces of code to carry out various functions. These include a USB infector module for lateral infection; a spamming function; and a new behavior, which is the Monero mining.
Despite all of this, being file-less means, necessarily, that no suspicious files are stored on the disk, which allows the attackers to remain on the infected machine longer, undetectable.
Further, the campaign also uses a domain generation algorithm (DGA) to generate a new domain each week.
“This tactic makes more difficult for security solutions such as next-generation firewalls (NGFWs) and secure web gateways to detect and block the outbound communication to the C&C server,” Radware noted. “After the domain is generated, an HTTPS GET request is sent to download a malicious file, masquerading as Googlebot crawler. Note that this is probably a backup—or an upgrade—mechanism, as it tries to access unregistered domains, or alternatively, when the malicious file was not present on the C&C servers.”
Using Gamarue offers Codefork a point of differentiation, Radware said.
“Because of the number of installations, combined with the versatility of the malware, CodeFork can easily drive monetization, selling to other actors who can deploy complementary malicious modules of their own,” Radware said. “The CodeFork group will certainly continue to try to distribute its tools, finding new ways to bypass current protections. Such groups continuously create new malwares and mutations to bypass security controls.”
Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/