Cybercriminals Exploit ISO Files to Deploy RATs and Crypto Miners
In a recent cybersecurity development, researchers have identified a financially driven cyber operation, designated as REF1695, which has been active since November 2023. This campaign employs deceptive installers to disseminate remote access trojans (RATs) and cryptocurrency mining software, posing significant threats to users worldwide.
Tactics and Techniques
The attackers utilize ISO files as the primary infection vector. These files contain a .NET Reactor-protected loader alongside a text file that instructs users on bypassing Microsoft Defender SmartScreen warnings. By following these instructions, users inadvertently allow the execution of malicious software.
Once activated, the loader initiates PowerShell scripts to configure extensive exclusions in Microsoft Defender Antivirus, effectively concealing the malicious activities. Simultaneously, users encounter an error message stating, Unable to launch the application. Your system may not meet the required specifications. Please contact support, which serves to divert attention from the ongoing compromise.
Introduction of CNB Bot
A notable addition to this campaign is the deployment of a previously undocumented .NET implant named CNB Bot. This sophisticated tool functions as a loader with capabilities to:
– Download and execute additional payloads.
– Update itself to maintain persistence.
– Uninstall and perform cleanup actions to erase traces of its presence.
CNB Bot communicates with command-and-control (C2) servers through HTTP POST requests, facilitating remote control by the attackers.
Diversified Malicious Payloads
Beyond CNB Bot, REF1695 has been linked to the distribution of other malicious software, including:
– PureRAT: A remote access trojan that enables unauthorized control over infected systems.
– PureMiner: A cryptocurrency miner that exploits system resources for illicit mining activities.
– Custom .NET-based XMRig Loader: This loader retrieves mining configurations from hard-coded URLs to deploy the XMRig miner, a popular tool for mining Monero cryptocurrency.
Exploitation of Legitimate Drivers
In a tactic reminiscent of the FAUX#ELEVATE campaign, the attackers exploit WinRing0x64.sys, a legitimate yet vulnerable Windows kernel driver. By leveraging this driver, they gain kernel-level access to modify CPU settings, thereby enhancing the efficiency of their mining operations. This method has been a common strategy in various cryptojacking campaigns over the years.
SilentCryptoMiner Deployment
Another facet of REF1695’s activities includes the deployment of SilentCryptoMiner. This miner employs direct system calls to evade detection and implements several measures to maintain its foothold:
– Disabling Windows Sleep and Hibernate modes to ensure continuous operation.
– Establishing persistence through scheduled tasks.
– Utilizing the Winring0.sys driver to optimize CPU performance for mining.
A watchdog process is also in place to restore malicious components if they are removed, ensuring the longevity of the infection.
Financial Impact
The campaign has proven financially rewarding for the attackers. Analysis of four tracked wallets reveals that REF1695 has accumulated approximately 27.88 XMR, equivalent to $9,392. This indicates a consistent and profitable operation.
Abuse of Trusted Platforms
To further obfuscate their activities, the threat actors exploit GitHub as a content delivery network (CDN) for payload distribution. By hosting malicious binaries across multiple GitHub accounts, they shift the download and execution processes away from their own infrastructure to a trusted platform. This strategy reduces the likelihood of detection and complicates efforts to trace the malicious activities back to their source.
Conclusion
The REF1695 operation underscores the evolving tactics of cybercriminals who blend social engineering with technical exploitation to achieve their objectives. By leveraging legitimate platforms and tools, they enhance the effectiveness and stealth of their campaigns. Users are advised to exercise caution when downloading and installing software, especially from unverified sources, and to remain vigilant against prompts that encourage bypassing security warnings.
