Skip to content
.ca
sign in
7 minhigh

Fake Installers to Monero: A Multi-Tool Mining Operation

Elastic Security Labs identified a financially motivated operation dubbed REF1695 that distributes RATs and cryptominers via fake installer ISOs. The threat actor monetizes infections through Monero mining and CPA fraud, utilizing advanced evasion techniques like Themida packing, dynamic analysis tool detection, and a novel .NET implant named CNB Bot.

Conf:highAnalyzed:2026-03-31reports

Authors: Elastic Security Labs

ActorsREF1695CNB BotPureRATPureMinerSilentCryptoMinerAsyncRATPulsarRAT
REF1695CNB BotCryptominingPureRATFake Installer

Source:Elastic Security Labs

IOCs · 5

Key Takeaways

  • Financially motivated operation (REF1695) active since late 2023, deploying RATs and cryptominers via fake installer ISOs.
  • Monetizes infections through Monero cryptomining and CPA (Cost Per Action) fraud.
  • Uses consistent Themida/WinLicense + .NET Reactor packing across stages.
  • Introduces CNB Bot, a new .NET implant with RSA-2048 signed task authentication.
  • Custom XMRig loader evades detection by terminating the miner when analysis tools are running and abuses WinRing0x64.sys for Ring 0 access.

Affected Systems

  • Windows

Attack Chain

The attack begins with a fake installer ISO file containing a packed loader. Upon execution, the loader uses PowerShell to add Microsoft Defender exclusions and extracts subsequent stages, including RATs (PureRAT, CNB Bot) and cryptominers (PureMiner, XMRig, SilentCryptoMiner). Persistence is established via scheduled tasks or registry run keys. The malware disables sleep/hibernation to maximize mining uptime, drops a vulnerable driver (WinRing0x64.sys) for Ring 0 hardware access, and evades analysis by terminating the miner process when monitoring tools are detected.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide explicit detection rules (YARA, Sigma, etc.), but details extensive behavioral indicators and IOCs for custom rule creation.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the creation of scheduled tasks, PowerShell commands modifying Defender exclusions, process injection into explorer.exe/conhost.exe, and the dropping of known vulnerable drivers like WinRing0x64.sys. Network Visibility: Medium — C2 traffic is AES-encrypted and base64-encoded, but connections to known mining pools, GitHub raw URLs for payloads, and specific C2 domains can be monitored. Detection Difficulty: Moderate — While the malware uses heavy packing (Themida/.NET Reactor) and evasion techniques (killing miner on analysis tool detection), the behavioral footprint (Defender exclusions, scheduled tasks, powercfg modifications) is noisy.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • PowerShell Operational Logs (Event ID 4104)
  • Scheduled Task Creation (Event ID 4698)
  • File Creation (Sysmon 11)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for PowerShell executions containing 'Add-MpPreference -ExclusionPath' or '-ExclusionProcess' originating from temporary directories.Process Creation / PowerShell Operational LogsDefense EvasionLow
Monitor for the creation of scheduled tasks executing VBScript or binaries from %APPDATA%\HostData.Scheduled Task CreationPersistenceLow
Detect the execution of 'powercfg' commands disabling standby and hibernation timeouts (e.g., 'standby-timeout-ac 0').Process CreationImpactMedium
Identify the dropping and loading of 'WinRing0x64.sys' by unsigned or suspicious processes.File Creation / Driver LoadPrivilege EscalationMedium
Hunt for processes named 'svchost.exe' executing from unusual directories like %SystemDrive%\Users*\AppData\Local\SVCData\Config.Process CreationExecutionLow

Control Gaps

  • Lack of SmartScreen enforcement (users instructed to bypass it)
  • Allowing execution of unsigned binaries from ISO files

Key Behavioral Indicators

  • PowerShell modifying Defender exclusions
  • powercfg disabling sleep
  • WinRing0x64.sys dropped to %TEMP%
  • Process injection into conhost.exe or explorer.exe

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block known C2 domains and mining pool IP addresses.
  • Search for and remove identified IOCs (file hashes, paths, scheduled tasks).

Infrastructure Hardening

  • Block or restrict the mounting of ISO files from untrusted sources.
  • Implement application control to prevent the execution of unsigned binaries from user directories (%APPDATA%, %TEMP%).
  • Restrict the ability of standard users to modify Microsoft Defender exclusions.

User Protection

  • Ensure Microsoft Defender SmartScreen is enabled and configured to block (not just warn) on unrecognized apps.

Security Awareness

  • Train users to recognize social engineering lures that instruct them to bypass security warnings (e.g., 'More Info -> Run Anyway').
  • Educate users on the risks of downloading software from unofficial sources or fake registration pages.

MITRE ATT&CK Mapping

  • T1566.001 - Phishing: Spearphishing Attachment
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1053.005 - Scheduled Task/Job: Scheduled Task
  • T1027.002 - Obfuscated Files or Information: Software Packing
  • T1055.012 - Process Injection: Process Hollowing
  • T1068 - Exploitation for Privilege Escalation
  • T1489 - Service Stop
  • T1496 - Resource Hijacking

Additional IOCs

  • Domains:
    • winautordr[.]itemdb[[.]]com - PureRAT C2 server
    • winautordr[.]ydns[[.]]eu - PureRAT C2 server
    • winautordr[.]kozow[[.]]com - PureRAT C2 server
    • wndlogon[.]hopto[[.]]org - PureRAT / PureMiner / AsyncRAT / PulsarRAT C2 server
    • wndlogon[.]itemdb[[.]]com - PureRAT / PureMiner / AsyncRAT / PulsarRAT C2 server
    • wndlogon[.]ydns[[.]]eu - PureRAT / PureMiner / AsyncRAT / PulsarRAT C2 server
    • wndlogon[.]kozow[[.]]com - PureRAT / PureMiner / AsyncRAT / PulsarRAT C2 server
    • autoupdatewinsystem[[.]]top - CNB Bot / SilentCryptoMiner C2 server
    • win64autoupdates[[.]]top - CNB Bot C2 server
    • tommysbakescodes[[.]]ws - CNB Bot C2 server
    • tommysbakescodes[[.]]cv - CNB Bot C2 server
    • rapidfilesdatabaze[[.]]top - CPA fraud lure landing page
    • rapidfilesbaze[[.]]top - CPA fraud lure landing page
    • softappsbase[[.]]top - SilentCryptoMiner C2 server
    • softwaredatabase[[.]]xyz - SilentCryptoMiner C2 server
    • winautordr[.]hopto[[.]]org - PureRAT C2 server
  • Urls:
    • hxxps://autoupdatewinsystem[[.]]top/MyMNRconfigs/0226[.]txt - Remote configuration URL for custom XMRig loader
    • hxxps://github[[.]]com/ugurlutaha6116 - GitHub profile hosting payload stages
    • hxxps://win64autoupdates[[.]]top/CNB/l0g1n234[[.]]php - CNB Bot C2 panel URL
    • hxxps://tabbysbakescodes[[.]]ws/CNB/gate[.]php - CNB Bot C2 communication endpoint
    • hxxps://tommysbakescodes[[.]]ws/CNB/gate[.]php - CNB Bot C2 communication endpoint
    • hxxps://tommysbakescodes[[.]]cv/CNB/gate[.]php - CNB Bot C2 communication endpoint
    • hxxps://tinyurl[[.]]com/cmvt944y - Shortlink redirecting to CPA lure page
    • hxxps://rapidfilesdatabaze[[.]]top/files/z872d515ea17b4e6c3abca9752c706242/ - CPA fraud lure landing page
    • hxxps://softwaredlfast[[.]]top/files/n71fGbs2b7XceW3op71aQsrx41Rkeydl/ - CPA fraud lure landing page
    • hxxps://rapidfilesbaze[[.]]top/z78fGbs2b7XceWop21aQsrx41Rkeydsktp/ - Fake download link for CPA fraud
    • hxxps://rapidfilesbaze[[.]]top/z78fGbs2b7XceWop21aQsrx41Rkeymbl/ - Fake download link for CPA fraud
    • hxxps://unlockcontent[[.]]net/cl/i/me9mn2 - Downstream unlocker site for CPA fraud
    • hxxps://softappsbase[[.]]top/UnammnrsettingsCPU[.]txt - SilentCryptoMiner configuration path
    • hxxps://autoupdatewinsystem[[.]]top/UWP1/cpu[.]txt - SilentCryptoMiner configuration path
    • hxxps://softwaredatabase[[.]]xyz/UnammnrsettingsCPU[.]txt - SilentCryptoMiner configuration path
    • hxxps://softappsbase[[.]]top/UnamWebPanel7/api/endpoint[.]php - SilentCryptoMiner communication endpoint
    • hxxps://autoupdatewinsystem[[.]]top/UWP1/api/endpoint[.]php - SilentCryptoMiner communication endpoint
    • hxxps://softwaredatabase[[.]]xyz/UnamWebPanel7/api/endpoint[.]php - SilentCryptoMiner communication endpoint
  • File Hashes:
    • 460203070b5a928390b126fcd52c15ed3a668b77536faa6f0a0282cf1c157162 (SHA256) - Campaign 1 ISO sample (CNB Bot)
    • 7bb0e91558244bcc79b6d7a4fe9d9882f11d3a99b70e1527aac979e27165f1d7 (SHA256) - Campaign 2 ISO sample (PureRAT)
    • f84b00fc75f183c571c8f49fcc1d7e0241f538025db0f2daa4e2c5b9a6739049 (SHA256) - Campaign 3 ISO sample (PureRAT, PureMiner, XMRig loader)
    • 1f7441d72eff2e9403be1d9ce0bb07792793b2cb963f2601ecfdf8c91cd9af73 (SHA256) - Campaign 4 sample (SilentCryptoMiner)
    • bb48a52bae2ee8b98ee1888b3e7d05539c85b24548dd4c6acc08fbe5f0d7631a (SHA256) - Early 2025 Build sample (PureRAT v0.3.9)
    • 6a01cc61f367d3bae34439f94ff3599fcccb66d05a8e000760626abb9886beac (SHA256) - Late 2023 Build sample (PureRAT v0.3.8B)
  • Registry Keys:
    • SOFTWARE\VMware, Inc.\VMware Tools - Registry key checked by CNB Bot for VM detection
    • SOFTWARE\Oracle\VirtualBox Guest Additions - Registry key checked by CNB Bot for VM detection
    • SYSTEM\CurrentControlSet\Services\VBoxGuest - Registry key checked by CNB Bot for VM detection
    • SYSTEM\CurrentControlSet\Services\VBoxSF - Registry key checked by CNB Bot for VM detection
  • File Paths:
    • %TEMP%\MLPCInstallHelper.exe - Extracted CNB Bot instance
    • %SystemDrive%\Users\%UserName%\AppData\Local\SVCData\Config\svchost.exe - Stage 3 malicious svchost.exe binary
    • Appdata/Local/OptimizeMS/optims.exe - SilentCryptoMiner installation folder masquerading as legitimate software
    • %APPDATA%\HostData\install.dat - CNB Bot marker file
    • %APPDATA%\HostData\sysdata.vbs - VBScript wrapper for CNB Bot execution
  • Command Lines:
    • Purpose: Add Microsoft Defender exclusions for malware paths and processes | Tools: PowerShell | Stage: Defense Evasion | powershell.exe -WindowStyle Hidden Add-MpPreference -ExclusionPath
    • Purpose: Create a scheduled task for persistence | Tools: schtasks.exe | Stage: Persistence | schtasks /create /tn SVCConfig /tr
    • Purpose: Disable Windows sleep and hibernation to maximize mining uptime | Tools: powercfg.exe | Stage: Impact | powercfg /change standby-timeout-ac 0
  • Other:
    • MTXCNBV11000ERCXSWOLZNBVRGH - CNB Bot Mutex
    • Aesthetics135 - PureRAT Mutex and C2 comms key
    • 4c271ad41ea2f6a44ce8d0 - PureMiner Mutex and C2 comms key
    • 87NnUp8GKVBZ8pFV75Gas4A5nMMH7gEeo8AXBhm9Q6vS5oQ6SzCYf1bJr7Lib35VN2UX271PAXeqRFDmjo5SXm3zFDfDSWD - Monero Wallet Address 1
    • 89FYoLrfXwEDAVAsVYbhAfg3mATUtBzNAK2LG8wwDKfNTRhmNRTBn1VbwpFxEpJ8h5fQa2A4CS1tpRv7amUdJ3ZbUoVu6T1 - Monero Wallet Address 2
    • 89WoZKYoHhcNEFRV8jjB6nDqzjiBtQqyp4agGfyHwED1XyVAoknfVsvY1CwEHG6nwZFJGFTF5XbqC4tAQbnoFFCX8UQof3G - Monero Wallet Address 3
    • 83Q1PKZ5yXsP8SCqjV3aV7B3UoBB3skPp49G1VnnGtv5Y5EUbFQTXvzR9cZshBYBBfd8Dm1snkkud431pdzEZ2uJTad1CiC - Monero Wallet Address 4