"Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration."
"The loader is designed to invoke PowerShell, which is responsible for configuring broad Microsoft Defender Antivirus exclusions to fly under the radar and launch CNB Bot in the background."
"CNB Bot functions as a loader with capabilities to download and execute additional payloads, update itself, and uninstall and perform cleanup actions to cover up the tracks."
"As recently observed in the FAUX#ELEVATE campaign, 'WinRing0x64.sys,' a legitimate, signed, and vulnerable Windows kernel driver, is abused to obtain kernel-level access."
Operation REF1695 has been active since November 2023, utilizing fake installers to deploy remote access trojans and cryptocurrency miners. The threat actor also engages in CPA fraud, misleading victims into software registration. Recent attacks have introduced a new .NET implant, CNB Bot, which uses an ISO file for infection. This loader configures Microsoft Defender exclusions and displays misleading error messages. CNB Bot can download additional payloads and communicate with a command-and-control server. Other campaigns have similarly exploited ISO files to deploy various malware, including PureRAT and PureMiner.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]