Bogus installers facilitate RAT, cryptominer spread in long-running operation

Threat operation REF1695 has been harnessing counterfeit installers to facilitate multiple attack campaigns delivering remote access trojans andcryptocurrency mining malwaresince November 2023, reportsThe Hacker News.While most recent campaigns involved a fake ISO file that distributed a .NET Reactor-protected loader and text file facilitating the eventual deployment of the CNB Bot implant that permits further payload injections, REF1695 also leveraged ISO lures to spread the PureMiner and PureRAT payloads, as well as a custom .NET-based XMRig loader, according to Elastic Security Labs researchers. REF1695 was also discovered to have used similar lures to disseminate SilentCrytoMiner, which maintains stealth by using direct system calls and deactivating Windows Sleep and Hibernate modes.”Beyond the C2 infrastructure, the threat actor abuses GitHub as a payload delivery CDN, hosting staged binaries across two identified accounts. This technique shifts the download-and-execute step away from operator-controlled infrastructure to a trusted platform, reducing detection friction,” said researchers.