Researchers Expose Mining Operations Using ISO Lures to Spread RATs and Crypto Miners
Financially motivated work named in code REF1695 considered using fake installers for remote access trojans (RATs) and cryptocurrency miners from November 2023.
“Apart from cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration,” Elastic Security Labs researchers Jia Yu Chan, Cyril François, and Remco Srooten said in an analysis published this week.
The latest iteration of the campaign was also found to deliver previously undocumented .NET installations with CNB Bot code. This attack leverages the ISO file as an infection vector to deliver a secure .NET Reactor loader and a text file with clear instructions to the user to bypass Microsoft Defender SmartScreen protection to run applications that cannot be detected by clicking “More info” and “Run anyway.”
The loader is designed to invoke PowerShell, which is responsible for configuring the external Microsoft Defender Antivirus to fly under the radar and launch CNB Bot in the background. At the same time, the user is shown an error message: “Cannot start the application. Your system may not meet the required specifications. Please contact support.”
CNB Bot works as a loader with the ability to download and run additional payloads, update them, and remove and perform cleanup actions to close tracks. It communicates with the Command-and-control (C2) server using HTTP POST requests.
Other campaigns mounted by the threat actor used the same ISO bootloaders to run PureRAT, PureMiner, and the .NET-based XMRig loader, the latter of which accesses a hard-coded URL to extract the mining configuration and trigger the miner’s payout.
As recently noted in the FAUX#ELEVATE campaign, “WinRing0x64.sys,” a legitimate, signed, and vulnerable Windows kernel driver, is being exploited to gain access to kernel-level hardware and alter CPU settings to increase hash rates, thereby allowing performance improvements. The use of a driver has been noted in many cryptojacking campaigns over the years. The functionality was added to XMRig miners in December 2019.
Elastic said he also revealed another campaign leading to the use of SilentCryptoMiner. The miner, without using direct system calls to avoid detection, takes steps to disable Windows Sleep and Hibernate modes, stop persistence with scheduled work, and uses the “Winring0.sys” driver to optimize the CPU for mining operations.
Another notable part of the attack is the watchdog process that ensures that malicious artifacts and persistence methods are restored to the state they were removed from. The campaign is estimated to have collected 27.88 XMR ($9,392) from the four tracked wallets, indicating that the operation brings a consistent financial return to the attacker.
“Without the C2 infrastructure, the threat actor abuses GitHub as a CDN for payload delivery, hosting edited binaries on two identified accounts,” Elastic said. “This process moves the download and download step from the infrastructure controlled by the operator to a trusted location, reducing the friction of acquisition.”
