CodeFork Group Uses Fileless Malware to Deploy Monero Miners

Share this…

A group of experienced hackers — tracked under the name of CodeFork — have launched a new malware distribution campaign that uses advanced tools and new techniques to go undetected by security solutions.

Active since 2015, the group has recently changed its mode of operation by advancing from the usage of malware that stores components on disk to malware that loads malicious code directly into the infected computer’s memory (RAM) in order to bypass traditional antivirus solutions.

This type of malware — known as fileless malware — is becoming more prevalent each day, for obvious reasons, and is just one of the several new changes in CodeFork’s modus operandi.

CodeFork group deploys Monero miner, USB infector

The purpose of these improvements is to harden the group’s malware — a basic downloader (dropper) — against antivirus detection and analysis by security researchers.

The CodeFork gang uses this downloader, which is a modified version of Gamarue, to drop malware on infected computers. Speaking to Bleeping Computer, Radware — the company that uncovered and tracked the group’s evolution during the past two years — says that CodeFork used their dropper for both targeted attacks against high-value targets, but also against regular users in a shotgun approach.

“We think they do both [approaches] in order to get both mass and quality of machines to install different malware on,” a Radware spokesperson told Bleeping Computer via email.

CodeFork targeted attacks are still shrouded in mystery, but researchers have more insight into day-to-day operations that spread mundane malware. During the past few months, Radware says that CodeFork used their improved fileless malware downloader to spread the Necrus malware, a module for infecting USB thumb drives (used to spread laterally inside networks), and a modified Microsoft cdosys.dll file it repurposed to send spam from infected hosts.

More recently, Radware has also seen CodeFork deploy a modified version of xmrig.exe, a legitimate Monero miner.

Group most likely rents access to infected hosts

The secondary payloads downloaded via the CodeFork dropper are all over the place, but one theory can explain why researchers are seeing so many different binaries.

“We believe they sell the installations of other modules we saw installed on victim machines,” Radware told Bleeping. Most likely, the group is selling access to infected computers to other criminal groups, albeit no ads or forum posts were discovered advertising this service as of yet.

“The CodeFork group will certainly continue to try to distribute its tools, finding new ways to bypass current protections,” Radware explains. “Such groups continuously create new malwares and mutations to bypass security controls.”

Security researchers and other technically inclined readers can read a technical report about the new techniques used by CodeFork’s malware downloader in a security alertpublished yesterday by Radware researchers.