Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners
وسط REF1695: عملية تعدين العملات الرقمية اللي كتستعمل "ISO Lures" و "CNB Bot" باش تهرب من الرادار
Inside REF1695: The Crypto-Mining Operation Using ISO Lures and "CNB Bot" to Evade Detection
TL;DR
Researchers have identified a financially motivated threat actor, codenamed REF1695, that has been active since November 2023. The group uses fake software installers delivered via ISO files to deploy remote access trojans (RATs) and cryptocurrency miners. Notably, the campaign introduces a new .NET implant called CNB Bot and leverages social engineering to trick users into bypassing Microsoft Defender protections.
Overview of REF1695
Elastic Security Labs researchers Jia Yu Chan, Cyril François, and Remco Sprooten recently published an analysis of a persistent, financially motivated operation tracked as REF1695. Since late 2023, this actor has been observed monetizing infections through a multi-pronged approach:
- Cryptomining: Deploying XMRig and SilentCryptoMiner.
- CPA (Cost Per Action) Fraud: Directing victims to "content locker" pages under the pretense of software registration.
- Malware Distribution: Deploying Remote Access Trojans (RATs) like PureRAT.
The Infection Vector: ISO Lures and Social Engineering
The attack typically begins with an ISO file disguised as a legitimate software installer. To bypass modern Windows security features, the threat actor includes a text file with explicit instructions for the victim.
The instructions guide users to manually bypass Microsoft Defender SmartScreen by clicking "More info" and "Run anyway" when the unrecognized application is blocked. This social engineering tactic effectively recruits the user to disable their own security layer.
Technical Analysis: Loaders and "CNB Bot"
Once executed, the attack utilizes a .NET Reactor-protected loader. This loader invokes PowerShell to configure broad Microsoft Defender Antivirus exclusions, ensuring the malware can operate without interference.
A key discovery in recent iterations of this campaign is a previously undocumented .NET implant codenamed CNB Bot.
Capabilities of CNB Bot include:
- Downloading and executing additional payloads.
- Self-updating and uninstallation for cleanup.
- Communication with a Command-and-Control (C2) server via HTTP POST requests.
- Displaying fake error messages to the user (e.g., "Unable to launch the application... Your system may not meet the required specifications") to mask the malicious background activity.
Optimization and Persistence
The threat actor goes to great lengths to maximize mining efficiency and maintain access:
- Kernel-Level Exploitation: The campaign abuses
WinRing0x64.sys, a legitimate but vulnerable signed Windows kernel driver. This allows the attacker to obtain kernel-level hardware access and modify CPU settings to boost mining hash rates. - Detection Evasion: For campaigns involving SilentCryptoMiner, the actor uses direct system calls to evade security software.
- Persistence & Stability: The malware disables Windows Sleep and Hibernate modes to ensure uninterrupted mining. It also employs a "watchdog" process designed to restore malicious files and scheduled tasks if they are deleted by the user or security software.
- Infrastructure Abuse: REF1695 uses GitHub as a Content Delivery Network (CDN) to host staged binaries. By using a trusted platform, the actor reduces the likelihood of their download traffic being flagged as suspicious.
Financial Impact
The operation appears to be consistently profitable. Researchers tracked four wallets associated with this campaign, which have accrued approximately 27.88 XMR (estimated at $9,392). While perhaps smaller than nation-state operations, the consistent financial return highlights the sustainability of the REF1695 model.
Conclusion
REF1695 represents a sophisticated example of modern "commodity" threats. By combining social engineering, the abuse of legitimate drivers, and the use of trusted platforms like GitHub for payload delivery, the group manages to fly under the radar while maintaining a steady stream of illicit income. Organizations should educate users on the risks of ISO files and the dangers of following instructions to bypass SmartScreen warnings.
