REF1695: ISO Lures Bypass Windows SmartScreen to Deploy Sophisticated Malware and Miners

For General Readers (Journalistic Brief)

Cybercriminals are using a sophisticated trick involving fake software installers, hidden inside special digital files called ISOs, to infect computers with malicious programs. These ISO files act like virtual CDs, and when opened, they can silently install malware without the user realizing it.

This ongoing attack campaign, known as REF1695, has been active since November 2023. Its primary goals are to steal a computer's processing power for cryptocurrency mining and to trick people into signing up for services for financial gain.

A particularly concerning aspect of this operation is its ability to bypass a key Windows security feature called SmartScreen. Attackers provide users with misleading instructions, guiding them to ignore SmartScreen warnings, which are designed to protect against unknown applications. This allows them to install a new, previously undetected malicious program called CNB Bot.

CNB Bot serves as a gateway, capable of downloading more malicious tools, updating itself, and even covering its tracks to evade detection. The attackers are also exploiting legitimate but vulnerable Windows drivers to boost the performance of their cryptocurrency miners, making their illegal operations more profitable.

To make their activities harder to trace, the attackers are hosting their malicious software on GitHub, a popular platform for software developers. This tactic leverages the trust associated with GitHub to distribute harmful programs, making it more challenging for security systems to identify them as suspicious.

Technical Deep-Dive

1. Executive Summary

The REF1695 operation is a financially motivated cybercrime campaign observed since November 2023. It employs ISO files as the initial infection vector to deliver a multi-stage payload. The campaign's primary objectives include cryptocurrency mining and Cost Per Action (CPA) fraud. Recent activity involves the deployment of a novel .NET implant, codenamed CNB Bot, which functions as a loader for further malicious payloads and provides self-update and cleanup capabilities. The operation exhibits advanced evasion techniques, including bypassing Microsoft Defender SmartScreen, disabling antivirus exclusions, and abusing legitimate kernel drivers for performance enhancement. Attackers leverage GitHub as a Content Delivery Network (CDN) for payload hosting.

CVSS Score: Not publicly disclosed for the specific campaign or its components.
Affected Products: Microsoft Windows operating systems. Specific software versions are not detailed but are susceptible to the described exploitation chain.
Severity Classification: High. The campaign involves multiple evasion techniques, novel implants, and significant potential for financial loss and system compromise.

2. Technical Vulnerability Analysis

• CVE ID and Details: No specific CVEs are directly associated with the REF1695 campaign's core infection vector (ISO lure) or the CNB Bot implant itself. The campaign exploits user interaction and system configurations to bypass security mechanisms. The abuse of the WinRing0x64.sys driver, however, refers to known vulnerabilities or intended functionality that can be leveraged. The specific version of WinRing0x64.sys being abused and its associated CVEs are not publicly detailed in the source.
• Root Cause (Code-Level): The primary "vulnerability" exploited is not a traditional software flaw but rather a combination of:
  • Social Engineering: Tricking users into executing malicious payloads by presenting them within ISO files and providing misleading instructions to bypass Windows Defender SmartScreen.
  • Configuration Weakness/Abuse: The campaign leverages the ability to configure broad Microsoft Defender Antivirus exclusions via PowerShell, effectively disabling real-time protection for specific malicious processes.
  • Driver Abuse: Legitimate, signed kernel drivers (WinRing0x64.sys, Winring0.sys) are used for their intended or exploitable functionality to gain elevated privileges and manipulate hardware (CPU settings) for performance gains in mining.
  • .NET Reactor Protection: The loader is protected by .NET Reactor, a commercial software protection tool that obfuscates .NET code, making static analysis and reverse engineering more challenging.
  • CWE:
    • CWE-20: Improper Input Validation (potentially in how the loader handles configuration or downloaded payloads).
    • CWE-312: Stored Data with Insufficient Protection (if C2 credentials or configurations are stored insecurely, though HTTP POST suggests transmission).
    • CWE-732: Insecure Permissions (if the loader or its components are installed with overly permissive access).
    • CWE-499: Sensitive Information Exposure (through CPA fraud).
    • CWE-770: Allocation of Resources Without Limits or Throttling (potential for denial of service if the miner consumes excessive resources).
    • CWE-1004: Sensitive Data Exposure Through Insecure File Permissions (if downloaded payloads are not secured).
• Affected Components:
  • Microsoft Windows operating systems (versions not specified, but likely targeting recent versions where SmartScreen and Defender are prevalent).
  • Microsoft Defender Antivirus.
  • Legitimate Windows kernel drivers (WinRing0x64.sys, Winring0.sys).
  • .NET Framework/Runtime.
• Attack Surface:
  • User-facing applications and installers (delivered via ISO).
  • Microsoft Defender Antivirus configuration interfaces (exploited via PowerShell).
  • System kernel interfaces (leveraged by abused drivers).
  • Network protocols (HTTP POST for C2 communication).

3. Exploitation Analysis (Red-Team Focus)

• Red-Team Exploitation Steps:

  1. Initial Access (ISO Lure): Attacker distributes an ISO file containing a fake installer executable and a text file with instructions.
  2. User Interaction & SmartScreen Bypass: Victim mounts the ISO, executes the installer. The installer presents a fake error and provides instructions to click "More info" and "Run anyway" on a SmartScreen prompt, overriding the protection.
  3. Loader Execution & Defender Exclusions: The installer's loader (likely .NET, obfuscated by .NET Reactor) invokes PowerShell.
  4. Antivirus Evasion: PowerShell script configures broad Microsoft Defender Antivirus exclusions, disabling real-time protection for specific malicious processes.
  5. Payload Deployment (CNB Bot): CNB Bot is launched in the background.
  6. C2 Communication: CNB Bot establishes communication with a Command and Control (C2) server via HTTP POST requests.
  7. Further Payload Download/Execution: CNB Bot acts as a loader, downloading and executing additional payloads (e.g., RATs, crypto miners).
  8. Cryptomining Enhancement (Optional): If a crypto miner like XMRig or SilentCryptoMiner is deployed, the attacker may abuse WinRing0x64.sys or Winring0.sys to gain kernel-level access and modify CPU settings for increased hash rates.
  9. Persistence & Cleanup: CNB Bot can update itself, uninstall, and perform cleanup actions. A watchdog process ensures persistence mechanisms are restored if deleted.
  10. Monetization: Infection leads to cryptomining or CPA fraud (directing victims to content locker pages).

• Prerequisites:

  • User must be tricked into executing the initial payload from the ISO.
  • User must follow the provided instructions to bypass SmartScreen.
  • Microsoft Defender Antivirus must be present and configurable via PowerShell.
  • Network connectivity to C2 servers and payload hosting (GitHub).
  • Appropriate Windows architecture for the abused kernel drivers.

• Privileges Required:

  • Initial Execution: Standard user privileges are sufficient to execute the initial loader from the ISO.
  • Defender Exclusions: Modifying Defender exclusions typically requires administrative privileges. This suggests either a privilege escalation step or that the initial execution context already has sufficient rights, or the PowerShell script itself is designed to prompt for UAC if needed.
  • Kernel Driver Abuse: Requires kernel-level access, which is achieved by abusing the signed drivers. This implies that once the loader is running, it either has or can obtain the necessary privileges to load/interact with these drivers.

• Network Requirements:

  • Outbound HTTP/HTTPS connectivity to C2 servers.
  • Outbound connectivity to GitHub for payload retrieval.
  • No specific inbound requirements are mentioned for the initial compromise.

• Public PoCs and Exploits: No specific CVEs or public exploit modules are directly tied to the REF1695 campaign's unique components (CNB Bot, specific ISO lure). However, the techniques used (SmartScreen bypass, Defender exclusion manipulation, kernel driver abuse for mining) are documented in broader security research.

  • XMRig Driver Abuse: Functionality for using Winring0.sys was added to XMRig in December 2019. Research on cryptojacking campaigns often details the abuse of such drivers.
  • SmartScreen Bypass: Various social engineering tactics to bypass SmartScreen are common in malware distribution.

• Exploitation Prerequisites:

  • User must be susceptible to social engineering.
  • Windows Defender must be installed and running.
  • PowerShell must be enabled and executable.
  • The specific version of the WinRing0x64.sys or Winring0.sys driver must be present and vulnerable/exploitable on the target system.

• Automation Potential: High. The initial ISO execution and subsequent PowerShell commands can be automated. The CNB Bot's loader functionality also suggests automated downloading and execution of further stages. The potential for worm-like propagation is limited by the need for user interaction to open the ISO and bypass SmartScreen, unless combined with other lateral movement techniques.

• Attacker Privilege Requirements:

  • Initial Compromise: Unauthenticated (user interaction required).
  • Post-Compromise: Low-privilege user to administrator/system for Defender exclusion modification and kernel driver interaction.

• Worst-Case Scenario:

  • Confidentiality: Compromise of sensitive data if RATs are deployed. Exposure of user credentials and browsing habits.
  • Integrity: Potential for data modification or installation of further persistent backdoors. System instability due to resource exhaustion by miners.
  • Availability: Significant degradation of system performance due to cryptocurrency mining. Potential for system crashes or unresponsiveness. Disruption of business operations if critical systems are affected.

4. Vulnerability Detection (SOC/Defensive Focus)

• How to Detect if Vulnerable:

  • File System Scan: Search for ISO files with suspicious names or from untrusted sources.
  • Process Monitoring: Look for PowerShell.exe executing commands related to Defender exclusions (e.g., Add-MpPreference -ExclusionPath, Add-MpPreference -ExclusionExtension).
  • Registry/Configuration Checks: Monitor for unusual entries in Microsoft Defender's configuration.
  • Driver Verification: Check for the presence and loading of WinRing0x64.sys or Winring0.sys from unexpected locations or with unusual timestamps.

• Indicators of Compromise (IOCs):

  • File Hashes: Not publicly disclosed for the specific loader, CNB Bot, or payloads. These would be critical for detection.
  • Network Indicators:
    • Suspicious HTTP POST requests to unknown domains or IPs.
    • Connections to GitHub repositories hosting executables.
    • Known C2 IP addresses or domains (if identified).
  • Process Behavior Patterns:
    • PowerShell.exe with commands modifying Defender exclusions.
    • Execution of .NET executables from temporary directories or unusual paths.
    • High CPU utilization by xmrig.exe, silentcryptominer.exe, or unknown .NET processes.
    • Execution of WinRing0x64.sys or Winring0.sys drivers outside of their expected system paths.
  • Registry/Config Changes: Modifications to Microsoft Defender Antivirus exclusion lists.
  • Log Signatures:
    • Windows Event Logs (Security, System, Application) for suspicious process creation, UAC prompts, and driver loading events.
    • Sysmon logs for process creation, network connections, registry modifications, and driver loading.

• SIEM Detection Queries:

  KQL (Azure Sentinel / Microsoft Defender for Endpoint):

  DeviceProcessEvents
  | where FileName =~ "powershell.exe"
  | where CommandLine has "Add-MpPreference" and CommandLine has "Exclusion"
  | extend ExclusionPath = extract("ExclusionPath\\s+'([^']+)'", 1, CommandLine)
  | extend ExclusionExtension = extract("ExclusionExtension\\s+'([^']+)'", 1, CommandLine)
  | project Timestamp, DeviceName, InitiatingProcessFileName, FileName, CommandLine, ExclusionPath, ExclusionExtension, AccountName
  | where isnotempty(ExclusionPath) or isnotempty(ExclusionExtension)

  SPL (Splunk):

  index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1
  | search TargetFileName="powershell.exe" CommandLine="*Add-MpPreference*" CommandLine="*Exclusion*"
  | rex "CommandLine=(?<cmd>.*)"
  | eval ExclusionPath = if(match(cmd, "ExclusionPath\\s+'[^']+'"), mvindex(split(split(cmd, "ExclusionPath"), "'"), 1), null())
  | eval ExclusionExtension = if(match(cmd, "ExclusionExtension\\s+'[^']+'"), mvindex(split(split(cmd, "ExclusionExtension"), "'"), 1), null())
  | table _time, host, ParentProcessName, TargetFileName, cmd, ExclusionPath, ExclusionExtension, User
  | where isnotnull(ExclusionPath) OR isnotnull(ExclusionExtension)

• Behavioral Indicators:

  • Sudden, unexplained increase in CPU usage by non-standard processes.
  • System performance degradation.
  • Unusual network traffic patterns originating from user workstations.
  • Execution of unsigned or unusually signed kernel drivers.
  • Disabling of security software features.
  • Persistence mechanisms (scheduled tasks, registry run keys) created by unknown executables.

5. Mitigation & Remediation (Blue-Team Focus)

• Official Patch Information: No specific patches are available for the REF1695 campaign itself, as it relies on social engineering and configuration abuse rather than exploiting a specific software vulnerability. Patches for underlying Windows components or drivers might exist, but the primary defense is behavioral and preventative.

• Workarounds & Temporary Fixes:

  • User Education: Crucial for educating users about phishing, suspicious ISO files, and the dangers of overriding security warnings.
  • Application Control: Implement strict application whitelisting policies (e.g., AppLocker, Windows Defender Application Control) to prevent the execution of unauthorized executables, especially from user-writable locations.
  • PowerShell Constrained Language Mode: Enforce PowerShell Constrained Language Mode to restrict dangerous cmdlets, including those that modify Defender settings.
  • Disable AutoMount for ISOs: Prevent automatic mounting of ISO files to require explicit user action.
  • Network Segmentation & Firewall Rules: Block outbound connections to known malicious C2 infrastructure and GitHub repositories hosting executables. Restrict PowerShell remoting.
  • WAF/IPS Signatures: Develop signatures for known malicious network patterns or file types associated with the campaign.
  • Disable Unnecessary Drivers: If WinRing0x64.sys or Winring0.sys are not required for legitimate operations, consider disabling or removing them if possible, though this is often difficult for kernel drivers.

• Manual Remediation Steps (Non-Automated):

  1. Identify and Terminate Malicious Processes: Use Task Manager or taskkill to terminate identified malicious processes (e.g., powershell.exe with suspicious commands, unknown .NET executables, miner processes).
  2. Remove Malicious Files: Delete identified malicious executables, loaders, and any downloaded payloads from disk. Common locations include %TEMP%, %APPDATA%, %LOCALAPPDATA%.
  3. Restore Defender Exclusions: Manually remove any broad exclusions added by the attacker.

     # Run as Administrator
     Get-MpPreference | Select-Object ExclusionPath, ExclusionExtension, ExclusionFile, ExclusionProcess
     # Example to remove a specific path exclusion
     Remove-MpPreference -ExclusionPath "C:\Path\To\Malware"

  4. Remove Persistence Mechanisms: Check and remove any scheduled tasks, registry run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run), or WMI persistence created by the malware.
  5. Scan with Updated Antivirus/EDR: Perform a full system scan with up-to-date security solutions.
  6. Investigate System Drivers: Verify the integrity and source of loaded kernel drivers like WinRing0x64.sys and Winring0.sys. If found in unusual locations or with suspicious timestamps, investigate their origin.

• Risk Assessment During Remediation:

  • Incomplete Removal: Risk of reinfection if persistence mechanisms or associated files are missed.
  • System Instability: Aggressive termination of processes or removal of files could lead to system instability if not done carefully.
  • Data Loss: If the malware has already exfiltrated data or caused integrity issues.
  • Continued Mining/Fraud: If remediation is slow, the attacker continues to profit.

6. Supply-Chain & Environment-Specific Impact

• CI/CD Impact: The use of GitHub for payload hosting could indirectly impact CI/CD pipelines if developers inadvertently pull malicious dependencies or configurations hosted on compromised GitHub accounts. The .NET nature of CNB Bot suggests potential impact on .NET development environments.
• Container/Kubernetes Impact:
  • Docker: If a container image is compromised or built from a malicious source, it could propagate the malware. Execution within a container might be contained, but if the container has excessive privileges or access to host resources (e.g., direct hardware access for mining), the impact could be significant.
  • Kubernetes: Similar to Docker, compromised images or misconfigured deployments could lead to infection. The abuse of kernel drivers for mining would be particularly concerning in Kubernetes if pods have privileged access or direct node access. Container isolation effectiveness is key here; if the malware breaks out of the container, it can affect the host node.
• Supply-Chain Implications: The reliance on GitHub for payload delivery is a form of supply-chain attack. If attackers can compromise developer accounts or repositories, they can inject malicious code into the software development lifecycle. The use of legitimate but vulnerable drivers also highlights a supply-chain risk where trusted components are weaponized.

7. Advanced Technical Analysis

• Exploitation Workflow (Detailed):

  1. ISO Mount & Execution: User mounts malicious.iso.
  2. Fake Installer Execution: User runs setup.exe (or similar).
  3. SmartScreen Prompt: Windows Defender SmartScreen displays a warning for setup.exe.
  4. User Bypass: User follows instructions: clicks "More info" -> "Run anyway".
  5. Loader Invocation: setup.exe (or its embedded loader) executes a PowerShell script.
  6. Defender Exclusion Script: PowerShell script runs Add-MpPreference -ExclusionPath 'C:\Users\Public\...' (or similar broad exclusions).
  7. CNB Bot Launch: The loader then executes CNBBot.exe (or similar) from a benign-looking location.
  8. C2 Communication: CNBBot.exe initiates HTTP POST requests to http://<attacker-c2-domain>/api/v1/payload.
  9. Payload Retrieval: CNB Bot receives instructions or direct download links for further payloads (RAT, miner).
  10. Miner Execution & Driver Abuse: If a miner is downloaded (e.g., xmrig.exe), it may attempt to load WinRing0x64.sys to boost CPU performance. This involves calling specific IOCTLs to the driver.
  11. Persistence: CNB Bot might create a scheduled task: schtasks /create /tn "SystemUpdate" /tr "C:\Windows\System32\cmd.exe /c start C:\path\to\CNBBot.exe" /sc ONLOGON.

• Code-Level Weakness:

  • CNB Bot: Likely a .NET application. Its primary "weakness" from an attacker's perspective is its design as a flexible loader. The code would contain logic for HTTP communication, deserialization of C2 responses, file I/O for downloading/executing payloads, and self-update/uninstall routines. Obfuscation by .NET Reactor makes direct code analysis difficult without deobfuscation.
  • PowerShell Script: Simple scripting to modify Defender settings. The "weakness" is the ability for standard users or processes to trigger these commands, especially if UAC is bypassed or not strictly enforced.
  • Kernel Drivers (WinRing0x64.sys, Winring0.sys): These are legitimate drivers. The "weakness" is their intended functionality to interact with hardware registers and CPU settings, which can be abused for performance tuning in mining. The specific vulnerability might lie in how they handle certain IOCTLs or lack robust input validation if they are older or misconfigured versions.

• Related CVEs & Chaining:

  • No direct CVE chaining is described. The attack chain relies on user interaction, configuration abuse, and driver functionality.
  • Similar Vulnerabilities (CWE Class):
    • CWE-20: Improper Input Validation (potentially in driver interaction or payload handling).
    • CWE-250: Execution with Unnecessary Privileges (if the loader gains higher privileges than needed).
    • CWE-269: Improper Privilege Management.
    • CWE-426: Untrusted Search Path Element (if loaders execute DLLs from user-writable paths).

• Bypass Techniques:

  • WAF/IDS/EDR:
    • Evasion of Network Signatures: Using HTTP POST with common headers, encrypting C2 traffic (if implemented), or using legitimate-looking domains (GitHub).
    • Evasion of File Signatures: Obfuscation (.NET Reactor), polymorphic code, or using fileless execution techniques.
    • Evasion of Behavioral Signatures:
      • Defender Exclusions: Directly disabling AV protection.
      • Driver Abuse: Using signed, legitimate drivers to perform malicious actions, making detection harder as the driver itself is trusted.
      • Direct System Calls: SilentCryptoMiner is noted to use direct system calls to evade detection, bypassing standard API hooking mechanisms used by many EDRs.
      • Watchdog Process: Restores malicious components if deleted by security tools.
  • Sandboxes: Sophisticated sandboxes might detect the initial ISO execution or the PowerShell commands. However, the SmartScreen bypass requires human interaction, which is difficult for automated sandboxes to replicate. The use of legitimate drivers and direct system calls can also evade sandbox detection.

8. Practical Lab Testing

• Safe Testing Environment Requirements:

  • Isolated Network: A completely air-gapped or heavily segmented network.
  • Virtual Machines: Multiple VMs running different versions of Windows (e.g., Windows 10, Windows 11) to test SmartScreen behavior and Defender settings.
  • Sysmon: Installed on VMs for detailed logging.
  • Network Traffic Analysis Tools: Wireshark, tcpdump, or a dedicated network tap.
  • Debugging Tools: dnSpy or similar for .NET analysis (if deobfuscation is attempted), WinDbg for kernel debugging.
  • Sample Acquisition: A safe method to obtain and analyze the ISO file and its contents without accidental execution.

• How to Safely Test:

  1. Obtain Sample: Acquire the malicious ISO file in a controlled manner.
  2. Mount ISO in VM: Mount the ISO within an isolated VM.
  3. Observe Initial Execution: Launch the fake installer and observe the SmartScreen prompt.
  4. Simulate User Interaction: Follow the provided instructions to bypass SmartScreen. Crucially, do NOT click "Run anyway" if you are not in a controlled, isolated environment. For testing, you would simulate this action.
  5. Monitor Process Activity: Use Sysmon and Task Manager to observe PowerShell.exe execution, Defender exclusion modifications, and the launch of CNB Bot or other executables.
  6. Analyze Network Traffic: Capture and analyze network traffic for C2 communication to GitHub or other domains.
  7. Inspect File System & Registry: Examine created files, registry keys, and scheduled tasks.
  8. Test Driver Loading: If possible, attempt to load the specific kernel driver version in a controlled manner to understand its interaction with the system.
  9. Simulate Remediation: Test the effectiveness of the proposed remediation steps (e.g., removing exclusions, terminating processes).

• Test Metrics:

  • Successful SmartScreen Bypass: Percentage of attempts that successfully trigger the "Run anyway" prompt and execute the next stage.
  • Defender Exclusion Success Rate: Percentage of attempts to add exclusions that succeed.
  • CNB Bot Execution: Successful launch and C2 communication of the CNB Bot.
  • Payload Download/Execution: Successful retrieval and execution of secondary payloads (RATs, miners).
  • Persistence Establishment: Successful creation of scheduled tasks or registry run keys.
  • Remediation Effectiveness: Percentage of malicious artifacts and persistence mechanisms successfully removed.
  • System Performance Impact: Measure CPU/GPU utilization before and after miner execution.

9. Geopolitical & Attribution Context

• State-Sponsored Involvement: No public evidence suggests state-sponsored involvement. The operation appears to be financially motivated.
• Targeted Sectors: Not publicly disclosed. Given the nature of cryptomining and CPA fraud, a broad range of individual users and potentially small to medium businesses are likely targets.
• Attribution Confidence: Low. The operation is described as "financially motivated," which is typical of cybercriminal groups rather than nation-states. The use of generic techniques and a novel implant without specific TTPs linking to known APTs makes attribution difficult.
• Campaign Context: The operation is codenamed REF1695. It has been active since November 2023, with recent iterations deploying CNB Bot. The use of specific drivers for mining is a recurring theme in cryptojacking campaigns, but this specific combination of ISO lures, CNB Bot, and GitHub hosting is a distinct campaign.
• If unknown: Attribution currently unconfirmed. The operation is characterized as financially motivated.

10. References & Sources

• Elastic Security Labs Analysis (as reported by The Hacker News).
• The Hacker News Article: "Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners" (Published: Thu, 02 Apr 2026 11:42:00 GMT)
• Documentation on .NET Reactor (commercial obfuscator).
• XMRig GitHub repository (for driver integration details).
• Microsoft Defender Antivirus documentation.
• Windows Defender SmartScreen documentation.
• General research on cryptojacking campaigns and kernel driver abuse.