A group of hackers dubbed ‘CodeFork’ by security researchers has recently launched a new campaign, reportedly spreading fileless malware and a strain of cryptocurrency miner that is able to exploit victims’ computers and produce Monero, a form of digital money.
According to experts from Radware, a cybersecurity firm, the group has been active since at least 2015 and is known to take full advantage of its computer infections by later selling malicious services such as spreading email spam, worms or software downloaders.
A blog post, published 5 September, claimed that a new spate of infections was hitting machines running the Windows operating system (OS) via booby-trapped email attachments.
The criminal’s server initially downloaded a type of malware known as “Gamarue”, which then spewed out a modified version of “xmrig.exe” – the miner.
“This executable heavily consumes the machine’s CPU to mine digital currency on the machine, earning attackers cash,” the experts said.
Like its popular rivals bitcoin and ethereum, Monero is generated with computing power and is a decentralised form of “untraceable” money.
The malware has recently been updated to travel using “fileless” techniques, experts revealed.
Radware’s researchers claimed that because no suspicious files are stored on a disk drive, it helps attackers stay on an infected machine for longer and evade anti-virus tools.
Fileless attacks have reportedly spiked in the past 12 months.
In such an attack, malware is not dropped onto the computer hard drive, but instead the code sits in the machine’s internal memory and then exploits already-installed applications.
“We have seen more fileless malware since the beginning of 2017 than we saw in all of 2016 and 2015 combined,” Kevin Epstein, threat expert at Proofpoint, told Kaspersky Lab’s ThreatPost earlier this year.
“CodeFork is a cautious group that invests in stealth, usually sneaking under the radar of traditional defense systems such as sandboxing, Mail Attachment Scanners, IDS/IPS, Secure Web Gateways and various endpoint protection solutions,” wrote Radware’s Eli Birkan.
“They take advantage of Window OS executables for the installation process.
“Using machine-learning algorithms that analyse dozens of indicators in the malware behaviour and its communication patterns, Radware detected the attempts to contaminate our customers’ networks and blocked the communication with the [command and control] servers.”
The full scope of the CodeFork gang’s activity is yet to be revealed and it remains unclear how many computers have been targeted at the time of writing. Radware said that the group “will certainly continue to try to distribute its tools, finding new ways to bypass current protections.”
Earlier this year, in late August, Japanese cybersecurity company Trend Micro revealed that another form of cryptocurrency mining malware, aptly called ‘CoinMiner’, was spreading with the help of two leaked Windows exploits from the US National Security Agency.