An operation, codenamed REF1695, that has been financially motivated and active quietly since November 2023. In its use of fake software installers to deliver RATs and cryptocurrency miners, REF1695 has not only resorted to basic forms of Cryptojacking. This has been shown in a new research paper published by Elastic Security Labs.
The attackers also monetize infections through CPA (Cost Per Action) fraud, redirecting victims to content locker pages disguised as software registration or activation screens.
In its most recent iterations, the group has begun deploying a previously undocumented .NET implant called CNB Bot. The attack typically starts with an ISO file that contains a .NET Reactor-protected loader and a text file with clear instructions telling the user how to bypass Microsoft Defender SmartScreen by clicking “More info” and then “Run anyway.”
Once executed, the loader launches PowerShell to create broad Microsoft Defender exclusions, helping the malware stay hidden. At the same time, the victim sees a fake error message: “Unable to launch the application. "Your system may not meet the specifications required for compatibility. Please contact support."
CNB Bot functions primarily as a loader; it can download and execute other payloads, update itself, and take cleanup measures. It communicates with its command-and-control server through HTTP POST requests.
Similar ISO-based lure tactics have been used by the threat actor for distributing PureRAT, PureMiner, and a customized .NET version of the XMRig loader; some of these miners will exploit legitimate, though vulnerable, kernel drivers such as WinRing0x64.sys to gain access to low level hardware and optimize CPU settings for more efficient hashing, as has also been observed with many examples of cryptojacking since 2019.
Another variant results in SilentCryptoMiner which uses direct system calls to avoid detection, disables the Windows Sleep and Hibernate modes, and enables persistence through a scheduled task; a watch-dog process ensures that if any of its malicious components are removed, they will quickly be replaced.
Elastic has estimated that there are currently four 'tracked' cryptocurrency wallets associated with this campaign that have produced 27.88 XMR (about $9,392) which indicates that the campaign is generating a considerable amount of revenue on an ongoing basis.
Furthermore, the group has been identified as regularly abusing GitHub as a payload delivery CDN while hosting staged binaries from trusted GitHub accounts, thereby offering lower detection risk through the download process rather than relying on infrastructure controlled by the attacker(s).
Some key takeaways from the investigation are:
1. REF1695 combines traditional malware delivery with cryptojacking and CPA fraud.
2. Using ISO files and step-by-step instructions for bypassing SmartScreen makes these types of attacks attainable for non-technical users as well.
3. Using GitHub (abuse) and exploited legitimate drivers with vulnerabilities (such as WinRing0 driver) to execute malware demonstrates an increase in the sophistication of the group's evasion techniques.
Organizations and individuals alike need to be vigilant when downloading software from the internet (especially from non-standard sources or ISO files) by verifying all downloads and not clicking 'RUN ANYWAY' when opening unknown application files.
If you suspect you may have a computer infection, you should take the time to look for suspicious PowerShell usage, unexpected scheduled tasks, or CPU usage over an extended period of time when your PC appears to be in an idle state.
Source: The Hacker News