This is a homegrown cyber threat actor that has been active since 2015 and has grown to a huge cartel made up of Money Launderers, Hackers, Coders, Operators and Insiders. This adversary represents constant threat to a wide variety of institutions mostly being the Banking sector around Kenya and its neighboring countries.
This threat actor is known to specialize in python scripts to create quick tools for exploitation phase of an environment. They are also known to use opensource tools like Empire, Metasploit, DeathStar, Bloodhound, CrackMapExec, Aesshell, XmultiShell, CHAOS, Katoolin etc.
Their initial keylogger was written by a student who later became a bigger player of the group and he registered email@example.com in 2016 to be used as mail receiver of the keylogger data as below:
import pythoncom, pyHook, sys, logging, socket, datetime, os, win32gui,time
from email.MIMEMultipart import MIMEMultipart
from email.MIMEBase import MIMEBase
from email.MIMEText import MIMEText
from email import Encoders
gmail_user = “firstname.lastname@example.org”
gmail_pwd = “mlimani_25891011”
now = datetime.datetime.now()
COMPUTER_NAME= socket.gethostname()+” “+ socket.gethostbyname(socket.gethostname()) + “: “
This email was used in a lot of money heists around the Nairobi before they changed to email@example.com and later firstname.lastname@example.org for further attacks. Whenever the keylogger generated its data, a file with extension .tar.gz was saved at the usernames userprofile with the username as the name of the file. When we responded to institutions with Forkbombo malware infestation we would find servers and workstations full of these text files that had that extension.
In 2017, several key leaders of Forkbombo group were arrested in a Safehouse they used in Yaya center with several hackers disappearing into the woods and splitting into two groups.
OnNet team do pursue them and has code-named these threat actors as SilentCards and GrapZone for attribution. In 2018, Grapzone members including money mules joined back together and new bigger Forkbombo group was made.
In the coming months, OnNet team will share with you more deeper CTI on these groups, why they are currently at a dispute and opposing sides.
OnNet pays special attention to these intruders and is currently pursuing other Advanced Financial Threats that are targeting our customers.