A hacking group going by the name of CodeFork is using fileless malware to mine Monero, which is a type of cryptocurrency.
CodeFork is reportedly using a fileless malware to mine the cryptocurrency Monero and exploit infected systems to generate funds. The malware exploits Windows Operating Systems using spam emails to victimize the systems.
Cryptocurrencies are created when users solve math problems and use computing power. Anyone who follows the guidelines and rules set forth in the software of the cryptocurrency, and who has the suitable hardware for the computing power required, can be a part of the mining process. While the process varies from cryptocurrency to cryptocurrency, but the essence is quite similar.
The miners validate transactions that are put into blocks and joined together in blockchains. To ensure that no fraudulent transactions are involved, the blocks have a hash associated with them. So, a slight irregularity changes the hash value, and the miner can know if there’s a discrepancy. This hard work is rewarded in the form of cryptocurrency units.
There are some requirements as to the kind of solutions needed to generate or mine the cryptocurrency. As long as one can get the desired result, they can expect fair payment for their time and effort.
CodeFork, however, uses user systems to do their work for them. The computing power of these systems is used to mine Monero, which is a type of cryptocurrencies like Bitcoin and Ethereum. The process of taking advantage of users begins when users click on spam emails. The malware then downloads on the system and begins working in the background. It uses other applications to do its job. However, it is its fileless nature that is most intriguing.
Security researchers report that the number of fileless malware attacks in 2017 so far is more than 2015 and 2016 combined. Fileless malware, as the name suggested, do not involve the installation of files on the user’s system. This makes it difficult for the user’s system or antivirus software to detect the malware.
Talking about the CodeFork malware to mine Monero – a malware called Gamarue – it works in a similar fashion as most fileless malware do. It hides the code in the machine’s internal memory and leverages apps on the system. The Gamarue malware creates a modified version of the miner executable called ‘xmrig.exe’. This is the executable that uses the user system’s computing power.
As for CodeFork, this is a hacking group whose activity and operation go back to at least a couple of years. It sells malicious services like email spams and worms. The hacking group has a history of working in stealth mode and is known for successfully evading usual detection techniques like email attachment scanners, sandboxing, endpoint protection solutions, as well as secure web gateways. To install the malware on the victim machine, the group takes advantage of Windows operating system.
While security researchers have identified this attack vector, no one knows just how extensive the problem is. There is no indication as to how many computers are under the control of the hacking group, or just how many units of Monero the hacking group has mined up till now. However, the one thing that researchers say with certainty is that CodeFork will continue its operation and try to infect as many systems as possible.
CodeFork’s Gamarue is not the only fileless malware out there which is using the computing power of victim computers to mine cryptocurrencies. Trend Micro, a Japanese cybersecurity company, revealed in August 2017 that another cryptocurrency miner is in operation. This miner went by the name CoinMiner and takes advantage of two Windows exploits which the US National Security Agency leaked.