A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023.
“Beyond cryptomining, threat actors are monetizing infections through CPA (cost per action) fraud, directing victims to content locker pages under the guise of software registration,” Elastic Security Labs researchers Jia Yu Chan, Cyril François, and Remco Sprooten said in an analysis published this week.
The recent campaign also distributed a previously undocumented .NET implant codenamed CNB Bot. These attacks leverage ISO files as infection vectors and loaders protected by .NET Reactor.[詳細]and[とにかく実行]Click to deliver a text file to users with explicit instructions to bypass Microsoft Defender SmartScreen protection against running unrecognized applications.
The loader is designed to call PowerShell, which is responsible for configuring extensive Microsoft Defender Antivirus exclusions and launching CNB Bot in the background under the radar. At the same time, users receive an error message that says, “Unable to start the application. Your system may not meet the required specifications. Please contact support.”
CNB Bot acts as a loader with the ability to download and execute additional payloads, update itself, and perform uninstall and cleanup actions to cover its tracks. Communicate with a command and control (C2) server using HTTP POST requests.
Other campaigns launched by threat actors utilized similar ISO lures to deploy PureRAT, PureMiner, and custom-built .NET-based XMRig loaders. The final XMRig loader accessed a hardcoded URL to extract the mining configuration and launch the miner payload.
As recently seen in the FAUX#ELEVATE campaign, a legitimate, signed, and vulnerable Windows kernel driver, ‘WinRing0x64.sys’, is exploited to gain kernel-level hardware access and modify CPU settings to increase hash rate, thereby improving performance. The use of this driver has been observed in many cryptojacking campaigns over the years. This feature was added to the XMRig miner in December 2019.
Elastic said it has also identified another campaign leading to the deployment of SilentCryptoMiner. In addition to using direct system calls to evade detection, the miner also takes steps to disable Windows sleep and hibernation modes, set persistence through scheduled tasks, and use the “Winring0.sys” driver to fine-tune the CPU for mining operations.
Another notable component of this attack is the watchdog process that ensures that malicious artifacts and persistence mechanisms are restored if removed. This campaign is estimated to have generated an estimated 27.88 XMR ($9,392) across the four wallets tracked, indicating that this operation is delivering consistent financial returns to the attackers.
“Beyond the C2 infrastructure, the attackers are exploiting GitHub as a payload delivery CDN, hosting staged binaries between two identified accounts,” Elastic said. “This technology moves the download and execution steps from operator-controlled infrastructure to a trusted platform, reducing discovery effort.”
Source link
