Executive Summary

Security researchers at Elastic Security Labs have detailed a multi-faceted malware distribution campaign by a threat actor tracked as REF1695. Active since at least November 2023, the operation uses malicious ISO files disguised as legitimate software installers to infect victims. These fake installers are used to deploy a range of malware, including the PureMiner and PureRAT trojans, the CNB Bot implant for delivering further payloads, and various cryptocurrency miners such as SilentCrytoMiner and XMRig. A key tactic of the campaign is its abuse of GitHub as a trusted Content Delivery Network (CDN) to host and deliver its malicious binaries, making the activity appear more legitimate and harder to block.

Threat Overview

REF1695 is a financially motivated threat operation focused on deploying Remote Access Trojans (RATs) for system control and cryptominers for resource hijacking. Their primary infection vector is social engineering, luring users into downloading and mounting malicious ISO files that masquerade as popular software.

• Initial Access: The attack begins when a user downloads a fake software installer, typically packaged as an ISO file (T1566.001 - Spearphishing Attachment). Mounting the ISO reveals a malicious loader.
• Execution & Obfuscation: The loader is often protected with commercial packers like .NET Reactor to hinder analysis (T1027 - Obfuscated Files or Information). This loader acts as a dropper for the main payloads.
• Payload Delivery: The campaign leverages GitHub as a C2 and payload distribution CDN (T1105 - Ingress Tool Transfer). By hosting malware on a legitimate, widely trusted platform like GitHub, the attackers' download traffic is more likely to bypass network security controls.
• Impact: The deployed malware varies. PureRAT provides the attacker with full remote control over the victim's machine. CNB Bot is a modular implant that can inject additional payloads. Cryptominers like SilentCrytoMiner and XMRig hijack the victim's CPU/GPU resources to mine cryptocurrency (T1496 - Resource Hijacking), leading to performance degradation and increased electricity costs.

Technical Analysis

The use of ISO files is a popular technique to bypass Mark-of-the-Web (MOTW) security controls in Windows, as files inside a mounted ISO may not inherit the flag that triggers security warnings. The REF1695 actor's reliance on GitHub is a strategic choice to improve operational security. It offloads the infrastructure burden to a reputable service, making it harder for defenders to block based on IP or domain reputation alone.

The SilentCrytoMiner payload is noteworthy for its evasion techniques, including the use of direct system calls to bypass EDR hooks and its ability to disable Windows Sleep and Hibernate modes to ensure continuous mining activity. This demonstrates a degree of sophistication aimed at maximizing profit while minimizing the chances of detection.

Impact Assessment

The primary impact of the REF1695 campaign is financial, both directly for the attacker (through cryptomining) and indirectly for the victim (through increased power consumption and system degradation). However, the deployment of PureRAT and CNB Bot presents a much greater risk. These RATs give the attacker complete control over the compromised system, allowing them to steal sensitive data, install keyloggers, deploy ransomware, or use the machine as a pivot point for further attacks into the victim's network. An infection can quickly escalate from a simple resource hijacking incident to a full-blown data breach.

Cyber Observables for Detection

• Network Traffic: Monitor for outbound connections to raw.githubusercontent.com from unusual processes. While GitHub is legitimate, a non-developer tool making connections to it could be suspicious.
• Process Activity: Look for processes associated with cryptomining, such as xmrig.exe. Also, monitor for high, sustained CPU usage from unexpected processes.
• File Artifacts: The use of ISO files (.iso) as a delivery mechanism is a key observable. Monitor for the download and mounting of ISO files from untrusted sources.
• Persistence: The malware may create scheduled tasks or registry run keys to maintain persistence. Monitor common persistence locations for new, suspicious entries.

Detection & Response

• Endpoint Monitoring: Use EDR to detect the execution of binaries from mounted ISO files. Create alerts for high CPU usage that persists for long periods, which is a strong indicator of cryptomining. D3FEND's Process Analysis can identify the miner processes.
• Network Egress Filtering: While blocking all of GitHub is not feasible for many organizations, it is possible to restrict access to it. Monitor and alert on non-browser and non-developer tool processes connecting to github.com or its subdomains. D3FEND's Outbound Traffic Filtering can be tuned to spot these anomalies.
• User Training: Educate users about the dangers of downloading software from unofficial sources. Emphasize that even legitimate-looking installers can be malicious.

Mitigation

• Application Control: Implement application control policies to prevent the execution of unauthorized software. This is the most effective way to stop users from running fake installers. This aligns with M1038 - Execution Prevention.
• Block ISO Mounting: In environments where it is not required for business, consider creating a Group Policy Object (GPO) to block the automatic mounting of ISO files or to disable AutoPlay. This adds a layer of friction that can disrupt the attack chain.
• Endpoint Protection: Ensure antivirus and EDR solutions are up-to-date. Many of the payloads, like XMRig, are well-known, and signature-based detection can be effective against the final payload, even if the loader is obfuscated.