CP
cyberpings
Malware & RansomwareHIGH

Bogus Installers - RAT and Cryptominer Spread Alert

Featured image for Bogus Installers - RAT and Cryptominer Spread Alert
SCSC Media
REF1695CNB BotPureMinerPureRATXMRig
🎯

Basically, fake software installers are used to spread harmful malware.

Quick Summary

Bogus installers are being used to spread RATs and cryptominers in a long-running operation. Users are at risk of infection from these malicious downloads. Stay alert and only download software from trusted sources.

What Happened

A long-running cyber operation, identified as REF1695, has been using counterfeit installers to distribute remote access trojans (RATs) and cryptocurrency mining malware since November 2023. Recent campaigns have involved fake ISO files that deliver a .NET Reactor-protected loader, which eventually deploys the CNB Bot implant. This implant allows further malicious payload injections.

Who's Being Targeted

The primary targets of this operation appear to be general users who unknowingly download these bogus installers, mistaking them for legitimate software. As the operation continues, it poses a risk to both individual users and organizations that may fall victim to these attacks.

Signs of Infection

Users may notice unusual system behavior, such as slow performance or unexpected network activity, which could indicate the presence of RATs or cryptominers. Additionally, if a user has downloaded software from unverified sources, they should be vigilant for signs of infection.

How It Works

The REF1695 operation utilizes fake ISO files to lure users into downloading malicious software. These installers are designed to look legitimate, but they contain hidden malware. The operation has also leveraged GitHub as a content delivery network (CDN) for hosting these malicious files. By using a trusted platform, the threat actor reduces the chances of detection.

Tactics & Techniques

The REF1695 group employs various techniques to maintain stealth and effectiveness. For instance, they use SilentCrytoMiner, which operates quietly by making direct system calls and disabling Windows Sleep and Hibernate modes. This allows the malware to run undetected for extended periods.

Defensive Measures

To protect against these threats, users should:

  • Only download software from official and verified sources.
  • Regularly update their operating systems and antivirus software to detect and remove any malicious files.
  • Monitor system performance and network activity for unusual behavior.

Conclusion

The REF1695 operation highlights the ongoing risks posed by counterfeit software installers. As cybercriminals continue to evolve their tactics, users must remain vigilant and proactive in their cybersecurity practices to avoid falling victim to such attacks.

🔒 Pro insight: The use of trusted platforms like GitHub for malware delivery is a significant shift, complicating detection efforts for security teams.

Original article from

SCSC Media
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Threat Actors Impersonate CERT-UA to Distribute AGEWHEEZE

Hackers impersonated CERT-UA to distribute AGEWHEEZE malware via phishing emails. About 1 million users across various sectors are at risk. Strengthening security measures is crucial to combat such threats.

SC Media·
HIGHMalware & Ransomware

Malicious LNK Files - GitHub Used in South Korea Malware Attack

A malware campaign is targeting Windows users in South Korea using malicious LNK files and GitHub for PowerShell scripts. This stealthy attack compromises systems and poses serious risks. Stay alert and protect your network.

SC Media·
HIGHMalware & Ransomware

Akira Ransomware - Accelerated Intrusions Examined

Akira ransomware has drastically improved its attack speed, completing intrusions in under four hours. This poses a serious threat to organizations worldwide. Vigilance and preparedness are essential to combat these rapid intrusions.

SC Media·
HIGHMalware & Ransomware

Brokk Hacked - Play Ransomware Exposes Sensitive Data

Brokk has reportedly been hacked by Play ransomware, leading to the leak of sensitive corporate data. This incident could severely impact the company's reputation and security. Organizations must bolster their defenses to prevent similar breaches.

SC Media·
HIGHMalware & Ransomware

Claude Code Leak - Exploited to Distribute Malware

A malicious GitHub repository is exploiting the Claude Code leak to distribute malware. Tens of thousands of users downloaded compromised versions, risking their sensitive data. Stay informed and protect yourself from these threats.

SC Media·
HIGHMalware & Ransomware

Storm Infostealer - New Malware Bypasses Chrome Encryption

A new malware called Storm infostealer is bypassing Chrome's encryption to steal sensitive user data, especially cryptocurrency wallets. Users in multiple countries are at risk. Stay vigilant and protect your accounts against this emerging threat!

SC Media·