REF1695: The fraud that combines social engineering, kernel controllers and mining for profit

Since the end of 2023, researchers at Elastic Security Labs have documented an economically motivated operation that uses false installers to introduce both remote trojan (RAT) and cryptomoneda mining equipment. Under the key name REF1695, the campaign stands out for combining classical social engineering with techniques dedicated to dodging system defenses and maximizing mine performance, as well as monetizing infections through CPA fraud that bring victims to "content locker" pages. For those interested in original research and technical analysis, the general information of the Elastic security teams is available at: Elastic and the communiqués of your security team.

The chain of infection that analysts describe is part of a very traditional decoy: an ISO file that the user rides by believing to contain a legitimate installer. Within the ISO is a .NET Reactor protected charger and a text file with explicit instructions for the victim to avoid Microsoft Defender SmartScreen's warnings. These indications ask the user to click on "More information" and then on "Run anyway," which makes the unrecognized application run. Microsoft's official documentation on SmartScreen explains why these protections appear and what risks it entails to ignore them; it should be reviewed in Microsoft Defender SmartScreen.

The charger, designed to invoke PowerShell, makes two critical actions: it sets wide exclusions in Microsoft Defender Antivirus so that the samples are not detected and starts in the background a .NET implant recently observed and baptized by researchers like CNB Bot. Users are shown an error screen that is intended to justify the failure: a message that suggests that the system "does not meet the specifications" and leads to contact support, so the victim does not suspect the activity in the background.

CNB Bot acts as a modular charger: you can download and run additional loads, update yourself and also uninstall and remove traces to make the analysis difficult. Your communication with the command and control server (C2) is made by HTTP POST requests, a simple but effective method for exchanging instructions and binaries in large-scale campaigns.

In addition to CNB Bot, Elastic documents variants of the same ISO decoy that have served to deploy malware families like PureRAT and PureMiner, and a .NET-based charger for XMRig that consults a fixed URL to get its mine settings. A particularly worrying aspect of these campaigns is the abuse of legitimate and signed kernel controllers, in particular variants such as WinRing0x64.sys or Winring0.sys, which allow access to kernel level to adjust CPU parameters and increase the mining hash rate. The use of this type of drivers as a lever to improve performance in malicious cryptominery is not new: XMRig incorporated related capabilities in December 2019 and since then various actors have used them to squeeze resources from infected machines. To better understand the implications of modifying defenses or abusing drivers, the taxonomy of MITRE ATT & CK techniques offers useful context in MITRE ATT & CK - Impair Defenses.

Another piece observed in the operations of REF1695 is SilentCryptoMiner, a miner who takes additional measures to mock detections and maximize uptime: he uses direct calls to the system (syscalls) to dodge security hooks, prevents Windows from entering into suspension or hibernation modes, establishes persistence by programmed tasks and uses kernel-level controllers to optimize CPU configuration. To ensure that the mining activity is not interrupted, operators also incorporate a "watchdog" process that restores artifacts and persistence mechanisms if they are eliminated.

As for the economic reward, the actor seems to get constant returns: Elastic estimates that 27,88 XMR have moved, about $9,400 to the reference change, distributed in four portfolios that they have been able to trace. This figure reflects that, although not necessarily massive compared to other criminal operations, the campaign is cost-effective and sustainable.

An operational detail worth highlighting is the use of reliable platforms as a substitute for own infrastructure. Researchers have observed that the perpetrators house binary steps in GitHub accounts to serve as CDN. This strategy reduces detection friction because GitHub's domains and servers often enjoy good reputation and pass less stringent filters than infrastructure completely controlled by the attackers. GitHub has published guides and policies on the correct use of its services; in any case, the abuse of legitimate platforms is already a recurring trend in modern economic crime.

What reading is left for administrators and users? The combination of convincing lures, abuse of system functions and the use of legitimate services shows that the defense must be multiple and critical with the user's own actions. Avoid mounting or running unverified ISO images, distrust of instructions that ask to avoid security warnings, apply restrictive policies on the execution of scripts and on the installation of kernel controllers, and monitor both the abnormal use of CPU and outgoing HTTP connections to unknown servers are measures that significantly reduce risk. It is also recommended to audit accounts of GitHub and other platforms where binaries can be housed, as well as to apply rules that inspect and block downloads from unapproved repositories.

The REF1695 campaign is a reminder that money-motivated actors combine social engineering and technical techniques for access, persistence and performance. The best defense remains a mix of user awareness, maintenance of up-to-date security controls and detection capabilities that can identify both the abnormal system behavior (CPU peaks, antivirus exclusions, suspicious scheduled tasks) and the abuse of legitimate malware delivery services. For those who want to deepen mine tools and their implementations, the official XMRig repository provides technical context on the software that is often reused by malicious actors: XMRig in GitHub. If you want to know in detail the techniques of ofuscation and packaging in .NET, the commercial solution .NET Reactor used by some attacks can be consulted at Eziriz - .NET Reactor.

In short, REF1695 does not introduce a completely new technique, but it does reflect the effectiveness of combining social engineering tricks with low-level system abuse and the use of "trust" infrastructure to maintain lucrative and lasting operations. The response goes through technical protection layers, software control policies and, perhaps most importantly, users trained to not run blind what appears as "installer" in a file that does not come from a verified source.