REF1695 ISO Lures Spread RATs and Miners

Forget flashy ransomware. This crew's quietly mined 27.88 XMR — that's $9,392 — by tricking users with ISO lures since late 2023. But the real scam? RATs and fraud on top.

theAIcatchup 6 min read
Attack chain diagram showing REF1695 ISO lure deploying CNB Bot and XMRig miner

Key Takeaways

  • REF1695 nets $9K+ via ISO-delivered miners, RATs, and CPA fraud since 2023.
  • Abuses GitHub as CDN and signed WinRing0 driver for stealth and speed.
  • Evolving from single-trick to diversified ops — watch for cross-platform jumps.

$9,392. That’s the cold, hard tally from four crypto wallets tied to REF1695, a slick operation that’s been grinding away since November 2023.

Researchers at Elastic Security Labs peeled back the layers this week, revealing how this financially driven threat actor doesn’t just mine crypto — they layer on remote access trojans, cost-per-action fraud, and even a fresh .NET beast called CNB Bot.

ISO lures. Simple, right? But here’s the genius — or desperation — in their architecture. They package malice inside ISO files mimicking legit software installers. User double-clicks, Windows mounts it like a USB drive, and bam: a loader protected by .NET Reactor spits out instructions to sidestep Microsoft Defender SmartScreen. “More info.” “Run anyway.” You’ve seen it.

And while you’re fumbling that, PowerShell’s already whispering exclusions into Defender Antivirus — broad ones, letting the bad stuff breathe easy. A fake error pops up: “Unable to launch. System doesn’t meet specs. Contact support.” Neat cover.

How Does CNB Bot Pull This Off?

CNB Bot’s no dumb downloader. This .NET implant — undocumented till now — grabs extra payloads, updates itself, cleans up traces, uninstalls if needed. All via HTTP POST to a C2 server. Stealthy persistence, baby.

But REF1695 doesn’t stop there. Older tricks in their bag: PureRAT, PureMiner, a custom XMRig loader phoning home for configs. Then there’s FAUX#ELEVATE vibes — abusing WinRing0x64.sys, a signed kernel driver that’s been a cryptojacker’s best friend since miners baked it in back in 2019.

Think about it. That driver cracks open kernel-level access, tweaks CPU clocks for max hash rates. Legit signature means AV yawns. Elastic spotted it boosting SilentCryptoMiner too — that one’s got direct syscalls for evasion, kills sleep/hibernate, sets scheduled tasks, and runs a watchdog to resurrect anything you kill.

“Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration,” Elastic Security Labs researchers Jia Yu Chan, Cyril François, and Remco Sprooten said.

CPA fraud. Not just mining — they’re herding victims to fake registries, locking content behind surveys or installs that pay per click. Diversified revenue, folks. Why bet on one horse when crypto dips?

GitHub as CDN. Bold move. They stash payloads on two accounts there, offloading from their own servers. Trusted platform downloads mean less sandbox flags, smoother execution. Abuse of open source ethos — classic.

But here’s my angle, the one Elastic glosses over: this reeks of evolutionary pressure from endpoint detection. Remember Stuxnet? It hid in legit certs and USBs too, but that was nation-state. REF1695’s the street-smart cousin, iterating fast because EDRs got wise to ZIP bombs and direct EXEs. ISOs? Fresh vector, low friction. Prediction: watch for DMG on Macs next, or APKs spiking in enterprise wild.

Why Abuse Signed Drivers Like WinRing0?

Signed drivers = trust bypass. WinRing0’s vulnerable, sure, but its legitimacy lets it burrow deep. Miners have leaned on it for years — tweak P-states, crank multipliers, squeeze every cycle without melting hardware. Add a watchdog? Unkillable miner.

Elastic tracked 27.88 XMR across wallets. Steady drip, not jackpot. Means scale: thousands infected, low profile. No big bangs, just persistent grind.

Users? Lured by fake installers — think pirated software, cracks, free tools. Clickbait for the impatient. Architecture shift here: from phishing emails to direct file drops on forums, torrents.

Defender exclusions via PowerShell — that’s AMSI bypass lite. Loader sets ‘em wide, CNB Bot runs silent. C2’s HTTP POST keeps it chatty but deniable.

Can Your AV Catch REF1695’s ISO Sneak Attack?

Short answer: not always. SmartScreen warns, but humans click through. Exclusions neuter real-time scans. Syscalls and kernel tweaks laugh at hooks. GitHub pulls? Legit traffic.

Elastic’s report shines because it maps the full chain — from ISO mount to miner hum. But operators? They’re watching. Next drop might encrypt C2, or pivot to browser miners.

Critique time: Elastic calls out GitHub abuse, but Microsoft’s been slow on repo policing. Free hosting for malware CDN? That’s not “innovation” — it’s negligence enabling profit.

Scale this up. If REF1695’s netting nine grand quiet-like, imagine state actors or bigger crews. Enterprise endpoints become zombie farms. Your idle corp laptop? Hashing Monero while you Zoom.

Historical parallel: early 2000s botnets like Storm used P2P for resilience. REF1695’s GitHub play echoes that — distribute risk, use trust networks. But cloud era amps it: infinite scale, zero cost.

What’s the fix? Behavioral blocks on ISO auto-mounts. Driver blocklisting (Microsoft’s on it, sorta). User training? Ha. Train against greed and haste?

Deeper why: crypto’s volatility pushes multis. Mining’s steady if stealthy; RATs sell access; CPA’s quick cash. REF1695’s portfolio approach — that’s the shift. Not smash-and-grab, but subscription malice.

Why Does GitHub Keep Falling for This?

GitHub’s the wild west redux. Devs upload, forks fly, no questions. Threat actors stage binaries, users pull unwittingly. Detection friction drops to zero.

Elastic IDs two accounts — gone now, probably. But more sprout. Until GitHub deploys ML on uploads or nukes suspicious repos proactively, it’s a sieve.

Bold call: this forces platform accountability. Expect lawsuits, regs on code hosts. Or GitHub goes full Apple — walled garden for binaries.

Watchdog processes seal the deal. Kill the miner? It respawns persistence. Scheduled tasks, registry runs — full immortality kit.

Infected tally? Unknown, but wallet math screams volume. Low-and-slow wins.

🧬 Related Insights

Frequently Asked Questions

What is REF1695?

REF1695’s a cyber op using ISO file lures to drop RATs like CNB Bot, PureRAT, and cryptominers like XMRig or SilentCryptoMiner, plus CPA fraud for extra cash.

How do ISO lures bypass Microsoft Defender?

ISO mounts like a drive, drops a protected loader with manual bypass instructions for SmartScreen, then PowerShell adds AV exclusions while faking an error.

Is GitHub safe for downloads?

Mostly, but threat actors hide payloads there as CDN. Scan everything, check repos, use enterprise proxies.

Aisha Patel
Written by
Aisha Patel

Former ML engineer turned writer. Covers computer vision and robotics with a practitioner perspective.

Frequently asked questions

What is REF1695?
REF1695's a cyber op using ISO file lures to drop RATs like CNB Bot, PureRAT, and cryptominers like XMRig or SilentCryptoMiner, plus CPA fraud for extra cash.
How do ISO lures bypass Microsoft Defender?
ISO mounts like a drive, drops a protected loader with manual bypass instructions for SmartScreen, then PowerShell adds AV exclusions while faking an error.
Is GitHub safe for downloads?
Mostly, but threat actors hide payloads there as CDN. Scan everything, check repos, use enterprise proxies.
#cnb-bot #iso-lures #ref1695 #cryptomining

Worth sharing?

Get the best AI stories of the week in your inbox — no noise, no spam.

Originally reported by The Hacker News

Related Stories

📬

Stay in the loop

The week's most important stories from theAIcatchup, delivered once a week.

No spam. Unsubscribe any time.