A newly identified malicious software framework, dubbed “Winos4.0,” has emerged within game-related applications, specifically targeting Windows users. Researchers from FortiGuard Labs have classified this malware as a sophisticated variant of Gh0strat, capable of executing a wide array of remote actions and granting attackers substantial control over compromised systems.
The modus operandi of Winos4.0 involves the distribution of seemingly innocuous game-related applications, such as installation tools and performance boosters. These applications serve as the initial entry point for the malware into target devices.
Upon installation by the user, the application downloads a seemingly harmless BMP file from a remote server. This file subsequently extracts and activates the Winos4.0 DLL file. The initial phase of the malware’s operation establishes an environment conducive to deploying additional modules, while also ensuring persistence on the infected machine through the creation of registry keys or scheduled tasks.
Winos4.0’s Advanced Capabilities and Security Threats
As the framework progresses through its stages, it decodes concealed files to inject shellcode and load various modules critical for controlling the compromised systems. Among its key functionalities are:
- Clipboard monitoring
- System information gathering
- Detection of antivirus software, crypto wallet extensions, and other security applications
Notably, Winos4.0 also appears to target educational institutions, with file descriptions suggesting a particular emphasis on “Campus Administration” functions.
Further investigation indicates that Winos4.0 maintains communication with command-and-control (C2) servers to download encrypted modules. It retrieves the addresses of these C2 servers from designated registry keys, facilitating its login and ongoing connectivity.
This persistent connection empowers the malware to receive commands and download modules that enable various actions, including document management, screen capture, and comprehensive environment monitoring.
Fortinet has drawn parallels between Winos4.0 and other powerful frameworks like Cobalt Strike and Sliver, highlighting its ability to support multiple functions and exert control over compromised systems with ease. The firm cautions that the entire attack chain is characterized by extensive encrypted data exchanges and significant C2 communication necessary for successful injection.
In light of these developments, users are urged to exercise caution regarding the sources of new applications, emphasizing the importance of downloading software exclusively from reputable sources.
