The Structure of the REF1695 Campaign
The operation codenamed REF1695 employs a sophisticated method to distribute remote access trojans (RATs) and cryptocurrency miners. By disguising malicious software as fake installers, the campaign exploits user trust to initiate infection. This approach uses ISO files, which serve as the primary infection vector. The ISO files contain a .NET Reactor-protected loader and a text file instructing users to bypass Microsoft Defender SmartScreen protections. This layered strategy enhances the attackers chances of success by circumventing standard security measures.
Once activated, the loader executes a sequence of malicious processes, including invoking PowerShell scripts. These scripts are programmed to configure exclusions in Microsoft Defender Antivirus, allowing the malware to operate undetected. The campaign also employs social engineering tactics, such as error messages, to mislead users into thinking the application failed to execute due to system incompatibility.
Introduction of the CNB Bot Implant
A notable addition to the REF1695 campaign is the deployment of a previously undocumented .NET implant known as CNB Bot. This malware functions as a versatile loader capable of downloading and executing additional payloads. It can also update itself and perform cleanup actions to erase traces of its presence on the infected system. These capabilities make CNB Bot a resilient and adaptable tool for maintaining long-term control over compromised devices.
Communication between CNB Bot and its command-and-control (C2) server is facilitated via HTTP POST requests. This method allows the attackers to issue commands or retrieve updates without drawing significant attention. The modular design of CNB Bot highlights its efficiency in supporting various malicious activities, including cryptomining and further malware dissemination.
Monetization Through CPA Fraud
Beyond cryptomining, REF1695 incorporates Cost-Per-Action (CPA) fraud to diversify its revenue streams. This involves redirecting victims to content locker pages under the guise of software registration. Such fraudulent schemes exploit user engagement, generating income for the attackers without requiring substantial technical effort. The combination of cryptomining and CPA fraud underlines the financial motivation driving the campaign.
By employing multiple monetization strategies, REF1695 ensures a steady stream of revenue. This dual approach also complicates detection and mitigation efforts, as it requires security teams to address both malware infections and fraudulent redirections simultaneously.
Exploitation of Legitimate Software for Cryptomining
Another key aspect of the campaign is the utilization of legitimate but vulnerable software to enhance cryptomining efficiency. Specifically, the attackers exploit WinRing0x64.sys, a signed Windows kernel driver, to gain kernel-level access. This access allows them to modify CPU settings and optimize hash rates, thereby increasing the profitability of their cryptomining operations.
This technique was first introduced to XMRig miners in December 2019 and has since become a common feature in cryptojacking campaigns. The use of legitimate drivers adds a layer of complexity to detection and remediation efforts, as it blurs the line between malicious activity and legitimate system processes.
Implications for Cybersecurity
The methods employed by REF1695 emphasize the importance of implementing robust cybersecurity measures. Organizations must prioritize endpoint protection and ensure that antivirus software is not easily bypassed. Educating users about the risks of downloading unverified software and bypassing security warnings is equally crucial in mitigating such threats.
Moreover, the modular nature of tools like CNB Bot demands continuous monitoring and threat intelligence to identify and neutralize emerging malware variants. Security teams must also be prepared to address the dual challenges of cryptomining and CPA fraud, as both contribute to the financial success of campaigns like REF1695.