Security researchers have identified a financially motivated cybercriminal campaign distributing remote access trojans and cryptocurrency mining software through fraudulent software installers. The operation, active since November 2023, poses a significant threat to users seeking legitimate applications online.
Dubbed REF1695 by analysts, the threat actor uses fake installers for popular software as a lure. These installers, often disguised as legitimate tools, are designed to infect victims’ computers. The primary goal is to deploy malware that can take control of systems or secretly mine for cryptocurrency.
Dual Monetization Strategy
According to a report from the security firm Elastic, the campaign employs a two-pronged approach to generate revenue. The first method involves installing cryptocurrency miners, also known as cryptominers, on compromised machines. These programs use a computer’s processing power to generate digital currency for the attackers without the owner’s consent, often slowing down the system.
The second monetization tactic is Cost Per Action, or CPA, fraud. After infection, victims are redirected to content locker pages. These pages, which demand actions like completing surveys or signing up for services under the false pretense of software registration, generate payouts for the attackers from affiliate networks.
Technical Execution and Lures
The operation leverages ISO image files, a common format for disk images, to package its malicious payloads. By using ISO files, the attackers can bypass some basic security checks that might scan more common file types like EXEs. The lures often impersonate installers for widely used freeware, productivity tools, or game modifications, increasing the likelihood of users downloading and executing them.
Once executed, the installer deploys a remote access trojan, a type of malware that provides the attacker with backdoor control over the infected computer. This allows for data theft, further malware deployment, and surveillance. The cryptocurrency miner is typically installed simultaneously, running silently in the background.
Implications for Global Users
This campaign highlights an ongoing trend where cybercriminals combine multiple revenue streams to maximize profit from a single infection. The use of CPA fraud alongside cryptojacking makes the operation financially resilient. For end users, the consequences range from reduced computer performance and higher electricity bills due to mining to severe privacy breaches and financial loss from the RAT component.
Security experts emphasize that the global nature of software downloads means users worldwide are at risk. The attackers’ choice of lures, which mimic common and sought-after software, is calculated to cast a wide net, potentially affecting both individual consumers and business environments.
Recommended Protective Measures
Organizations like Elastic advise users to download software only from official vendor websites or trusted app stores. They recommend maintaining updated antivirus and anti-malware solutions capable of detecting such threats. Users should also be cautious of any installer that prompts unusual actions, such as disabling security software, or that leads to registration pages requesting personal information or survey completion.
For system administrators, implementing application whitelisting and blocking the execution of disk image files like ISOs from untrusted sources can be an effective technical control. Network monitoring for unexpected outgoing connections to known mining pools or command-and-control servers is also advised.
The discovery of the REF1695 operation is expected to lead to increased scrutiny from security vendors. Indicators of compromise from this campaign are being added to global threat intelligence databases. Law enforcement agencies in multiple jurisdictions may investigate the financial trails associated with the cryptocurrency mining and affiliate fraud proceeds. Future developments will likely include the release of more detailed technical analyses and detection rules from the cybersecurity community to help organizations defend against this specific threat.
Source: Elastic Security Labs
