Cybercriminals Use ISO Files to Deploy Malicious Software
A cybercriminal operation identified as REF1695 has been spreading remote access trojans (RATs) and cryptocurrency miners since November 2023, according to research findings reported by The Hacker News. The operation has successfully generated 27.88 XMR (Monero cryptocurrency) distributed across four separate wallets.
ISO Lures as Distribution Method
The mining operation employs ISO file formats as lures to distribute their malicious software. ISO files are disk image files that can contain entire software programs or operating system installations, making them an effective vehicle for delivering malware to unsuspecting victims.
Once deployed on target systems, the malicious software serves dual purposes: installing remote access trojans that give attackers control over infected computers, and deploying cryptocurrency mining software that generates digital currency for the operators.
Revenue Generation Through Multiple Channels
REF1695 has monetized their operation through two primary methods. The first involves cryptocurrency mining, where infected computers are used to generate Monero, a privacy-focused digital currency popular among cybercriminals due to its enhanced anonymity features.
The second revenue stream comes from cost-per-action (CPA) fraud, a scheme where attackers generate illegitimate commissions by manipulating online advertising systems. CPA fraud typically involves using compromised computers to perform fake actions such as clicking advertisements, filling out forms, or downloading applications.
Operational Timeline and Scale
The research indicates that REF1695 has been active since November 2023, representing approximately one year of sustained criminal activity. The operation's earnings of 27.88 XMR across four wallets demonstrates the financial viability of combining multiple attack vectors within a single campaign.
Remote access trojans provide attackers with persistent access to compromised systems, allowing them to install additional malware, steal sensitive information, or use the infected computers for other criminal activities. The combination of RATs with cryptocurrency miners creates a multifaceted threat that can generate ongoing revenue while maintaining long-term access to victim networks.
The use of ISO files as initial infection vectors reflects the evolving tactics employed by cybercriminals to bypass security measures and social engineering awareness training that typically focuses on more common file types like executable files or document-based malware.
