CNB Bot

These attacks leverage an ISO file as the infection vector to deliver a .NET Reactor-protected loader

The best protection against this threat is to avoid unofficial installers and cracked software.

Stage 3 is launched through PowerShell, and a scheduled task named SVCConfig is registered via schtasks.exe with an ONLOGON trigger and HIGHEST privilege.

By decrypting traffic captured in VirusTotal sandboxes, we observed that the C2 server at windirautoupdates[.]top was automatically issuing a download-and-execute task directing the implant to fetch an XMR mining payload from https://github[.]com/.../MnrsInstllr_240126[.]exe.

The loader is designed to invoke PowerShell, which is responsible for configuring broad Microsoft Defender Antivirus exclusions to fly under the radar and launch CNB Bot in the background.

...a fake ISO file that distributed a .NET Reactor-protected loader... REF1695 also leveraged ISO lures to spread... a custom .NET-based XMRig loader...

...distributed a .NET Reactor-protected loader...

They talk the user through bypassing SmartScreen by clicking More Info and Run Anyway.

Stage 3 is launched through PowerShell, and a scheduled task named SVCConfig is registered via schtasks.exe with an ONLOGON trigger and HIGHEST privilege.

The watchdog is responsible for monitoring the loader file in its persistence folder: it rewrites the file to disk if it is deleted and reinstalls the persistence mechanism if the scheduled task or registry key is deleted.

Stage 3 is launched through PowerShell, and a scheduled task named SVCConfig is registered via schtasks.exe with an ONLOGON trigger and HIGHEST privilege.

The watchdog is responsible for monitoring the loader file in its persistence folder: it rewrites the file to disk if it is deleted and reinstalls the persistence mechanism if the scheduled task or registry key is deleted.

The scam usually starts with a fake download, often an ISO file. To dodge security checks, the hackers include a ReadMe.txt file that uses social engineering. It claims the software is from a small non-profit team of developers that can’t afford official Windows certificates and is providing the software for free.

Following payload launch, Stage 2 writes a temporary .bat file to %TEMP% with a polling loop that forcefully deletes the installer binary until successful, then deletes the batch file itself.

...distributed a .NET Reactor-protected loader...

The encrypted next-stage module is stored as a .NET resource and decrypted via Triple DES (3DES) in CBC mode using an embedded key and IV. The decrypted output is a GZip-compressed PE.

Execute: .exe (hidden), .bat/.cmd (cmd /c), .vbs (wscript.exe), other (ShellExecute).

Writes a VBScript wrapper sysdata.vbs alongside the binary: CreateObject("WScript.Shell").Run """<installed_path>""", 0, False. Creates a scheduled task named HostDataProcess via schtasks.exe, configured to run wscript.exe //nologo sysdata.vbs every 10 minutes at HIGHEST privilege

At startup, CNB Bot uses five different methods to check for VM detection...

At startup, CNB Bot uses five different methods to check for VM detection... WMI ComputerSystem Manufacturer/Model... WMI BIOS Version/Serial... Process list... Registry... MAC Address... When the detection threshold is reached, the first process instance acquires a named mutex and enters an infinite sleep.

...the eventual deployment of the CNB Bot implant that permits further payload injections...

Fields sent on every request: desktop machine name, username username, os Windows version... privileges user OR admin... client_path full path of running executable... external IP via ipify[.]org / icanhazip[.]com / ident[.]me

On each tick, IsAnalysisToolRunning() compares all running process names against a hardcoded list of 35 security and monitoring tools (Taskmgr, ProcessHacker, Wireshark, Procmon, etc.).

Fields sent on every request: ... cpu processor name from the registry, gpu GPU name(s) from registry, gpu_type yes (discrete) / no (integrated)

At startup, CNB Bot uses five different methods to check for VM detection...

At startup, CNB Bot uses five different methods to check for VM detection... WMI ComputerSystem Manufacturer/Model... WMI BIOS Version/Serial... Process list... Registry... MAC Address... When the detection threshold is reached, the first process instance acquires a named mutex and enters an infinite sleep.

While most recent campaigns involved a fake ISO file that distributed a .NET Reactor-protected loader and text file facilitating the eventual deployment of the CNB Bot implant... REF1695 also leveraged ISO lures to spread the PureMiner and PureRAT payloads...

It communicates with a command-and-control (C2) server using HTTP POST requests.

The malware communicates with its C2 by issuing HTTP POST requests with the Content-Type set to application/x-www-form-urlencoded.

instead of the promised software, a series of loaders installs a malicious toolkit including CNB Bot, PureRAT, and SilentCryptoMiner.

These tools give the hackers full remote access to your files, the ability to update their malicious code

the group hosts malicious files on trusted platforms like GitHub and uses high-level RSA-2048 encryption to control their bots.

The loader is designed to invoke PowerShell, which is responsible for configuring broad Microsoft Defender Antivirus exclusions to fly under the radar