CodeFork hackers fooled many security solutions. How about yours?

As a result of Radware’s recent acquisition of Seculert, the startup that developed machine-learning algorithms that are capable of detecting and blocking zero-day malwares in cloud environments, Radware has expanded its research capabilities to include malware intelligence.

For the past two years, the team has been following a hacking group named CodeFork, whom recently launched a new campaign with updated malware tools and infection techniques. The group distributes the malware and leverages the infections to sell different services. Additional modules can be easily added to spread spam, worms and downloaders, and possibly information stealers – depending on the buyer’s intent. One of the latest modules that we saw in numerous installations (the tool is widely spread amongst different businesses in various geographical locations) is a Monero miner. Monero is a digital currency, perhaps the only one that can be mined on a regular PC CPU and does not require a more powerful hardware.

CodeFork is a cautious group that invests in stealth. Their malware distribution campaign sheds some light on the dark halo where hackers operate. While it seems that security solutions are posing new challenges to them, and can easily protect against simple and novice attacks, wide operations are thoroughly planned well in advance, where tools are carefully evaluated and chosen. The modular, systematic behavior of the program reflects the composure of the hackers who operate it. A great endeavor is put forth by the group into evasion. That is, not only to go under the radar of the network security controls, but also to leave almost no footprint.

Machine-learning algorithms analyze dozens of indicators in the malware behavior and communication patterns to detect zero-day attempts to contaminate enterprise networks, and then block the communication with the malware’s C&C servers.

Using file-less techniques for persistence, the tool is capable of sneaking under the radar of traditional defense systems such as sandboxing, Mail Attachment Scanners, IDS/IPS, Secure Web Gateways and various Endpoint protection solutions. The initial infection is most likely done via an email attachment with a Microsoft Office document containing a malicious macro. Next, they take advantage of Window OS executables for the installation process, leaving no tracks on the disk. Doing so allows for a number of advantages:

  • Bypassing AppLocker script rules
  • Proxy awareness
  • Enabling TLS encryption
  • It follows HTTP redirects
  • No trace left on the disk
  • It is usually trusted by endpoint firewall software

[You might also like: Malware and Botnet Attack Services Found on the Darknet]

Once infected, it instructs Windows Scripting Engine to execute an obfuscated Javascript code that executes powershell.exe so it downloads a script from a newly generated domain. This method bypasses local execution policies that might restrict running unrecognized PowerShell scripts. The script downloads an RC4 Encrypted DLL Executable and decrypts it. It then loads the malicious script reflectively from memory PowerSploit modules.

Up until this point, there are no tracks left on the infected machine. Before proceeding, as another simple anti-analysis mechanism, the module checks for the path C:\python27 on the machine, which normally indicates a security researcher’s machine or sandbox environment.

To remain on the infected machine after rebooting, two registry values are stored under HKEY_CURRENT_USER\Software\Classes\[Random String]

  1. The Powershell script for the next stage in base64.
  2. A new RC4 encrypted DLL module.

This is only artifact that remains on the machine.
The next module is a wrapper for the real malware. PowerShell script decrypts the DLL module from the registry, loads it reflectively and executes its VoidFunc export.

It uses a Domain Generation Algorithm (DGA) to generate a new domain every Monday. This tactic makes it difficult for security solutions such as NGFWs and Secure Web Gateways to detect and block outbound communication to the C&C server. After the domain is generated, an HTTPS GET request is sent to download a malicious file, masquerading itself as a Googlebot crawler.

Calculating a seed for the domain generation function

CodeFork uses the same algorithm repeatedly in different modules, but with minor modifications each time. These are few examples:

  1. Changing the seed of the DGA function
  2. Adding an extra letter at the beginning of the domain
  3. Removing two letters from the end
  4. Multiply the first letter
  5. Using various subdomains

This has allowed us to identify domains that are being used now, and in the future, by CodeFork’s different modules without having to retrieve and fully analyze all of their modules.

[You might also like: Network Security Does Not Matter When You Invite the Hacker Inside]

In the next step, the program executes an instance of the infamous Gamarue malware. Using process hollowing, it replaces the process’ main module with a customized version of Gamarue.
The customized version enables downloading additional modules to enhance its capabilities. The group made sure to use process hollowing again – within another legitimate Windows process, before conducting its malicious behavior. To deter analysis of the module, the executable file does not possess an import table, making it hard to understand which Win APIs it uses.

JMP instruction to the address of the original API

Upon ongoing analysis of this and former CodeFork campaigns, we have seen Gamarue being used to download different modules (for different purposes) such as:

  • Necrus Malware
  • A USB-INFECTOR module for lateral infection
  • Using Microsoft’s cdosys.dll for spamming

This time, we discovered a new behavior, which is the Monero mining – the servers will instruct the Gamarue malware to download and execute a Monero Digital Currency CPU Miner, earning attackers cash. This executable heavily consumes the machine’s CPU to mine digital currency.

Executable Process

Because of the number of installations, combined with the versatility of the malware, CodeFork can easily drive monetization, selling to other actors who can deploy complementary malicious modules of their own. The CodeFork group will certainly continue to try to distribute its tools, finding new ways to bypass current protections. Such groups continuously create new malwares and mutations to bypass security controls.

[You might also like: Profile of a Hacker]

Five Malware Protection Fundamentals:

  1. Communication behavior analytics

Utilize advanced machine-learning behavior analysis algorithms to constantly analyze Internet traffic to detect zero-day malware. This key capability is crucial to uncover and stop evasive and file-less malware designed to bypass Web Gateways, sandboxing solutions, file-based endpoint solutions and other security defenses.

  1. Global Crowdsourcing

Leverage a global community of millions of enterprise users, who generate billions of daily communications. This can help protect your organization from new emerging threats faster.

  1. Malware Analysis at Scale

On top of raw data from the global community, process high volumes of daily malware samples (i.e., from external feeds by scalable sandboxing engines) to create a massive database of malware profiles.

  1. Auditing Tool

Without introducing any actual bad actors into the network, simulate attacks by the latest malware to proactively measure the performance of your existing security infrastructure against potential threats.

  1. Integration with Existing Defenses

Integrate Secure Web Gateways, Next-gen Firewalls, SIEMs and other existing security solutions and threat intelligence feeds to achieve comprehensive threat visibility.

Download the full ERT threat alert.

Download Now

Eli Birkan

Eli Birkan is a Security Researcher with extensive experience in Exploitation, OS-internals and Code Analysis. Eli focuses on Malware Research and Network Cloud Security.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center