A sophisticated and prolonged malware campaign, identified as REF1695, has been actively deceiving users into downloading fake software installers. These deceptive applications secretly deploy potent remote access trojans (RATs) and Monero cryptocurrency miners, operating undetected for at least two years. The financially motivated threat actor behind this operation has been consistently evolving its tactics, updating its malware arsenal, and leveraging a shared command-and-control (C2) infrastructure, all while maintaining a low profile.
The campaign’s longevity and adaptability are particularly concerning to cybersecurity experts who have been monitoring its activities. Elastic Security Labs researchers were instrumental in uncovering the multi-faceted nature of this threat, tracing its origins back to November 2023 and identifying four distinct variants. Each iteration showcased a different combination of malicious payloads, including PureRAT, CNB Bot, PureMiner, a custom XMRig loader, AsyncRAT, PulsarRAT, and SilentCryptoMiner. This consistent evolution, coupled with overlapping C2 infrastructure, strongly indicates a single, persistent operator.
Inside the Infection Chain and Evolving Tactics
The attack vector for REF1695 consistently begins with a user downloading and executing a file that masquerades as a legitimate software installer. In its most recent iterations, this malicious installer has been distributed within an ISO image file. Upon execution, the user is presented with a seemingly typical installation process, which may include a progress bar or a fabricated error message citing missing system requirements. This elaborate ruse is designed to keep the victim engaged and oblivious as the malware silently executes in the background.
Once initiated, the malware exhibits a remarkable ability to evade detection. A key step in its infection chain involves adding itself and critical system directories to Microsoft Defender’s exclusion list. This maneuver effectively renders the malicious software invisible to the system’s built-in antivirus protection. Following this, the campaign deploys a .NET implant, such as the newly documented CNB Bot, which establishes persistent communication with its C2 server through a scheduled Windows task. For enhanced security, commands received by the implant must pass an RSA-2048 signature check, ensuring that only authorized instructions from the operator are executed.
One of the most notable stealth techniques employed by this threat actor is a custom XMRig loader. This component actively monitors the system for the presence of specific security and monitoring tools. The moment any of these tools are detected, the miner automatically shuts down, reverting CPU usage to normal levels. This clever evasion tactic allows the cryptocurrency mining to resume covertly once the user is no longer actively monitoring their system or has closed the suspicious application. This dynamic adjustment ensures prolonged, undetected mining operations.
Beyond Mining: The Financial Motivation
While the deployment of Monero miners clearly indicates a cryptocurrency theft objective, the threat actor’s financial motivations extend further. The campaign also engages in Cost Per Action (CPA) fraud. Infected systems are redirected to spoofed registration pages designed to trick users into completing online surveys or signing up for various services. For each successful completion, the attacker earns a small commission. This dual approach of cryptocurrency mining and CPA fraud demonstrates a multifaceted strategy for generating revenue.
At the time of analysis, researchers had identified four Monero wallets associated with the campaign, collectively accumulating over 27.88 XMR, equating to approximately $9,392. This figure is expected to grow as the campaign continues its sustained operation. The consistent use of packing techniques such as Themida, WinLicense, and .NET Reactor across all variants, combined with the overlapping command-and-control infrastructure, further solidifies the attribution to a single, highly organized financially motivated group.
The continuous abuse of trusted platforms, including GitHub, for hosting malicious payloads underscores the attacker’s resourcefulness and commitment to maintaining the campaign. This strategic use of legitimate services makes it more challenging for security defenses to distinguish between benign and malicious traffic.
Implications and Future Outlook
The prolonged nature and sophistication of REF1695 underscore a significant threat to individual users and potentially organizations that may not have robust endpoint detection and response (EDR) solutions in place. The reliance on social engineering and deceptive installer practices means that even vigilant users can fall victim if they are not consistently educated about the latest cyber threats and remain cautious about software downloads from unofficial sources.
The continuous updates and tool swapping indicate that the threat actor is actively adapting to defensive measures. Future iterations of this campaign may introduce new evasion techniques or target different types of software for distribution. The ongoing financial gains suggest that this operation is likely to continue for the foreseeable future, posing a persistent risk to internet users worldwide. Enhanced vigilance and updated security protocols across endpoints and networks are crucial to mitigating the impact of such evolving malware campaigns.