ISO Lures and Kernel Drivers: The New Face of Stealthy Crypto Mining Operations

A financially motivated cyber operation codenamed REF1695 has been targeting victims since November 2023 through a sophisticated campaign that combines social engineering with advanced technical evasion techniques. The attackers use fake software installers distributed as ISO files to deploy remote access trojans (RATs), cryptocurrency miners, and a previously undocumented .NET implant called CNB Bot.

The Infection Chain: From ISO to Kernel-Level Mining

The attack begins with victims downloading what appears to be legitimate software installers packaged as ISO files. Once mounted, these files contain a .NET Reactor-protected loader and a text file with explicit instructions to bypass Microsoft Defender SmartScreen protections. Users are guided to click "More info" and "Run anyway" to execute the malicious payload.

The loader then invokes PowerShell to configure broad Microsoft Defender Antivirus exclusions, effectively disabling real-time protection. Meanwhile, victims see a deceptive error message: "Unable to launch the application. Your system may not meet the required specifications. Please contact support." This misdirection allows CNB Bot to execute silently in the background.

CNB Bot functions as a sophisticated loader with capabilities to download and execute additional payloads, update itself, and perform cleanup actions to cover its tracks. It communicates with command-and-control servers using HTTP POST requests, maintaining persistent access to compromised systems.

Advanced Evasion: The WinRing0x64.sys Driver Abuse

What makes this campaign particularly concerning is its use of legitimate, signed Windows kernel drivers to achieve kernel-level hardware access. The attackers abuse "WinRing0x64.sys," a vulnerable Windows kernel driver, to modify CPU settings and boost hash rates for cryptocurrency mining operations.

This technique, also observed in the recent FAUX#ELEVATE campaign, represents a significant escalation in cryptojacking sophistication. By operating at the kernel level, the malware can fine-tune CPU performance for mining while remaining largely invisible to traditional security solutions.

"The functionality was added to XMRig miners in December 2019," security researchers note, highlighting how this technique has become increasingly mainstream among sophisticated threat actors.

Multi-Payload Strategy and Persistence Mechanisms

Beyond CNB Bot, the REF1695 operation deploys multiple payloads depending on the campaign iteration:

• PureRAT and PureMiner for basic remote access and mining
• A bespoke .NET-based XMRig loader that extracts mining configuration from hard-coded URLs
• SilentCryptoMiner, which uses direct system calls to evade detection

SilentCryptoMiner employs particularly aggressive persistence mechanisms, including:

• Disabling Windows Sleep and Hibernate modes to maintain continuous mining
• Setting up persistence via scheduled tasks
• Using the "Winring0.sys" driver for CPU optimization
• Implementing a watchdog process that restores malicious artifacts if deleted

Financial Impact and Infrastructure Analysis

The operation has proven financially successful, accruing 27.88 XMR (approximately $9,392) across four tracked cryptocurrency wallets. This demonstrates the profitability of combining multiple monetization strategies including cryptomining, CPA fraud, and potential data theft through RAT deployment.

Infrastructure analysis reveals the attackers' sophisticated approach to evasion. They abuse GitHub as a payload delivery Content Delivery Network (CDN), hosting staged binaries across two identified accounts. "This technique shifts the download-and-execute step away from operator-controlled infrastructure to a trusted platform, reducing detection friction," researchers explain.

Protection and Detection Strategies

Organizations can protect against these advanced cryptomining operations through several measures:

Endpoint Protection

• Configure Microsoft Defender to monitor and alert on PowerShell invocation patterns
• Implement application control to block unauthorized .NET assemblies
• Monitor for suspicious kernel driver loading, particularly WinRing0 variants

Network Monitoring

• Track outbound connections to known mining pools and C2 infrastructure
• Monitor for unusual CPU utilization patterns and system behavior
• Implement egress filtering to block unauthorized cryptocurrency traffic

User Education

• Train users to recognize social engineering tactics in fake installer prompts
• Emphasize the risks of bypassing security warnings like SmartScreen
• Implement strict software installation policies and verification procedures

The Evolving Threat Landscape

This campaign exemplifies the evolution of cryptojacking from simple browser-based mining to sophisticated, multi-stage operations that combine social engineering, kernel-level access, and trusted platform abuse. The use of legitimate drivers and platforms like GitHub demonstrates how attackers continuously adapt to evade detection while maximizing profitability.

The REF1695 operation's success highlights the need for defense-in-depth strategies that combine technical controls, user awareness, and continuous monitoring to detect and prevent these increasingly sophisticated threats.