A financially motivated threat actor, codenamed REF1695, has been observed carrying out a large-scale operation to spread remote access trojans (RATs) and cryptocurrency miners since November 2023.
The operation involves the use of fake installers that appear to be legitimate software, but actually contain malicious payloads. These payloads are designed to deploy RATs and cryptocurrency miners on compromised systems, allowing the threat actor to monetize the infections.
According to researchers, the threat actor’s primary goal is to earn money through cryptomining, but they also engage in Cost Per Action (CPA) fraud. This involves directing victims to content locker pages that appear to be software registration pages, but are actually designed to generate revenue for the threat actor.
The use of fake ISO files as lures is a notable aspect of this operation. The threat actor is using these files to trick victims into downloading and installing the malicious payloads, highlighting the importance of being cautious when downloading software from unfamiliar sources.
As the threat landscape continues to evolve, it is essential for individuals and organizations to remain vigilant and take steps to protect themselves from such attacks. This includes being cautious when downloading software, keeping systems and software up to date, and using anti-virus software to detect and prevent malware infections.
By staying informed about the latest threats and taking proactive measures to secure systems and data, individuals and organizations can reduce the risk of falling victim to these types of attacks and protect themselves from financial and reputational damage.
Source: Original Article
