A new cyber campaign has been discovered where attackers are using fake software downloads to spread malware across systems. This operation, tracked as REF1695, has been active since late 2023 and is mainly focused on generating illegal profits. The attackers are using ISO files as the primary method to infect devices. These files are designed to look like genuine software installers. Once opened, they silently begin a chain of malicious actions.

Cryptocurrency mining illustration showing malware using system resources for illegal cryptojacking

The attack usually starts when a user downloads what appears to be a normal software file from the internet. In reality, the file is an ISO image that contains hidden malicious components. Inside the ISO, there is a loader along with a text file that gives instructions. These instructions trick users into bypassing security warnings like Microsoft Defender SmartScreen. This step is important because it allows the malware to execute without interruption.

After the file is executed, the malware begins running in the background without any clear signs. It uses PowerShell commands to modify system settings and avoid detection. The malware also creates exclusions in antivirus programs so it can stay hidden. At the same time, a fake error message may appear on the screen. This makes the user believe the installation failed while the malware is already active.

Fake software download website spreading malware through malicious ISO installer files

One of the main components used in this campaign is a malware called CNB Bot. This malware works as a loader, meaning it can download and execute additional malicious programs. It has the ability to update itself and run commands sent by attackers. It can also remove traces of its activity to avoid detection. It communicates with remote servers through HTTP requests for control.

Along with CNB Bot, attackers are also spreading tools like PureRAT, PureMiner, and customized XMRig miners. These tools serve different purposes within the attack. Some provide remote access to the infected system, while others focus on mining cryptocurrency. The mining process uses the victim’s CPU power to generate digital currency. This happens silently without the user’s knowledge and reduces system performance.

Digital Trojan horse representing RAT malware loader used in ISO-based cyber attack

To improve mining efficiency, attackers are using a vulnerable but signed Windows driver called WinRing0x64.sys. This driver allows them to access low-level hardware components. By using it, they can modify CPU settings to increase mining performance. This method has been seen in several past cryptojacking campaigns. It helps attackers maximize profit using the victim’s resources.

Another key feature of this operation is its strong persistence mechanism. The malware creates scheduled tasks so it can run automatically after every system restart. It also disables features like sleep and hibernate mode to keep the system active. In addition, it includes a watchdog mechanism that restores the malware if it gets removed. These techniques make the infection very hard to eliminate completely.

GitHub platform being used to host and distribute malicious files in cyber attack campaign

Researchers also found that attackers are using platforms like GitHub to host malicious files. This makes the downloads look more legitimate and reduces suspicion among users. The campaign has already generated around 27.88 Monero across tracked wallets. This shows that the operation is financially successful and ongoing. Overall, it highlights how attackers are combining social engineering with advanced malware techniques.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news