Cybercriminals Exploit Fake Software Installers to Deploy RATs and Monero Miners
Since late 2023, a financially motivated threat actor, identified as REF1695, has been orchestrating a stealthy malware campaign. This operation deceives users into downloading counterfeit software installers that clandestinely deploy remote access trojans (RATs) and Monero cryptocurrency miners. Over the past two years, the campaign has evolved, expanding its arsenal while remaining largely undetected.
Deceptive Installation Process
The attack initiates when a user launches what appears to be a legitimate software installer. To maintain the illusion, the installer may display a progress bar or a fabricated error message indicating installation failure due to missing system requirements. By the time such messages appear, the malware has already been installed, effectively diverting the user’s attention from the malicious activities occurring in the background.
Evolution of the Campaign
Elastic Security Labs researchers have traced this operation back to November 2023, identifying four distinct campaign variants. Each variant deploys a different combination of malicious tools, including:
– PureRAT
– CNB Bot
– PureMiner
– A custom XMRig loader
– AsyncRAT
– PulsarRAT
– SilentCryptoMiner
Despite the varying payloads, all campaigns share consistent packing techniques using Themida, WinLicense, and .NET Reactor, along with overlapping command-and-control (C2) infrastructure, indicating a single operator behind these attacks.
Monetization Strategies
Beyond cryptocurrency mining, the attacker profits through Cost Per Action (CPA) fraud. Victims are redirected to fraudulent registration pages, prompting them to complete online surveys or sign up for services, earning the attacker a commission for each completion. Combining CPA fraud with Monero mining, the operator has amassed over 27.88 XMR—approximately $9,392—across four tracked wallets.
Infection Chain Details
The infection process begins when a victim launches a seemingly legitimate software installer. In recent campaign builds, the malware is delivered as an ISO image containing a .NET loader and a ReadMe.txt file. The ReadMe.txt file attempts to build trust by explaining that the software originates from a small team unable to afford proper code-signing, guiding users to bypass Windows SmartScreen warnings.
Once executed, the loader adds itself and key system directories to Microsoft Defender’s exclusion list, rendering it invisible to the built-in antivirus. It then deploys the CNB Bot implant while displaying a fake error message indicating installation failure due to unmet system requirements, keeping users unsuspecting as the infection takes hold.
CNB Bot Functionality
CNB Bot is a newly documented .NET implant that communicates with its C2 server every ten minutes via a scheduled Windows task. Each command received must pass an RSA-2048 signature check before execution, ensuring that only authorized instructions from the operator are executed.
Evasion Techniques
A notable evasion tactic in this campaign is the use of GitHub to host payloads. By leveraging GitHub, the attacker benefits from the platform’s reputation and widespread use, making it challenging for security tools to flag the hosted content as malicious.
Broader Context
This campaign is part of a larger trend where cybercriminals use fake software installers to distribute malware. Similar tactics have been observed in other campaigns:
– Fake npm Install Messages: A campaign named the “Ghost campaign” targets developers through the npm package registry, using fake installation messages to hide malicious activity. The attack begins when a developer installs one of the rogue packages, generating what appears to be a normal npm installation process. In reality, it deploys a remote access trojan (RAT) designed to steal cryptocurrency wallets and sensitive data. ([cybersecuritynews.com](https://cybersecuritynews.com/fake-npm-install-messages-hide-rat-malware/?utm_source=openai))
– Fake FileZilla Downloads: Attackers have created fraudulent websites that closely mirror the official FileZilla download page. Unsuspecting users who download from these sites receive a package that includes a legitimate copy of FileZilla bundled with a hidden malicious DLL file. This technique, known as DLL sideloading, allows the malware to execute silently in the background, granting attackers remote access to the compromised system. ([cybersecuritynews.com](https://cybersecuritynews.com/fake-filezilla-downloads-lead-to-rat-infections/?utm_source=openai))
– Fake Notepad++ and 7-Zip Websites: Cybercriminals have set up deceptive sites impersonating popular utilities like Notepad++ and 7-Zip. Users attempting to download these tools are instead served with Remote Monitoring and Management (RMM) tools such as LogMeIn Resolve. Once installed, these tools allow attackers to gain full control over the infected systems, execute commands remotely, and deploy additional malware payloads. ([cybersecuritynews.com](https://cybersecuritynews.com/threat-actors-using-fake-notepad-and-7-zip-websites/?utm_source=openai))
Implications and Recommendations
The persistence and adaptability of the REF1695 campaign underscore the evolving nature of cyber threats. By continuously updating their methods and leveraging trusted platforms, attackers can effectively evade detection and maintain prolonged access to compromised systems.
To mitigate such threats, users and organizations should:
1. Download Software from Official Sources: Always obtain software directly from official websites or trusted repositories to reduce the risk of downloading malicious installers.
2. Verify Digital Signatures: Check for valid digital signatures on software installers to ensure their authenticity.
3. Be Cautious of Unexpected Prompts: Exercise caution when prompted to bypass security warnings or disable antivirus protections during software installation.
4. Implement Robust Security Measures: Utilize comprehensive security solutions that can detect and block malicious activities, including behavior-based detection systems.
5. Educate Users: Regularly train users on recognizing phishing attempts, social engineering tactics, and the importance of downloading software from reputable sources.
By adopting these practices, individuals and organizations can enhance their defenses against deceptive malware campaigns that exploit fake software installers.
