Hackers are increasingly honing in on Windows users, employing the sophisticated Winos4.0 framework, which is stealthily distributed through what appear to be harmless game-related applications. This toolkit mirrors the capabilities of well-known post-exploitation frameworks like Sliver and Cobalt Strike, as highlighted in a report by Trend Micro earlier this summer, which focused on attacks specifically targeting Chinese users.
Initially, a threat actor known as Void Arachne, or Silver Fox, attracted victims by offering modified software such as VPNs and the Google Chrome browser tailored for the Chinese market, all bundled with the malicious components. However, a recent report from cybersecurity firm Fortinet reveals a notable shift in tactics, with hackers now leveraging games and game-related files to continue their assault on Chinese users.
Infection Process Unveiled
Upon execution of these seemingly legitimate installers, a DLL file is downloaded from “ad59t82g[.]com,” triggering a multi-step infection process. The initial phase involves the download of a DLL file named you.dll, which subsequently fetches additional files, configures the execution environment, and ensures persistence by modifying entries in the Windows Registry.
In the second phase, injected shellcode activates, loading APIs, retrieving configuration data, and establishing a connection to the command-and-control (C2) server. The third phase sees another DLL, 上线模块.dll, retrieving encoded data from the C2 server, storing it in the registry at HKEYCURRENTUSERConsole, and updating the C2 addresses.
Malicious Actions and Data Exfiltration
The final stage of this intricate attack chain involves loading the login module, 登录模块.dll, which executes the primary malicious actions:
- Collecting system and environment information, including IP address, OS details, and CPU specifications.
- Checking for the presence of anti-virus and monitoring software on the host system.
- Gathering data on specific cryptocurrency wallet extensions utilized by the victim.
- Maintaining a persistent backdoor connection to the C2 server, enabling the attacker to issue commands and extract additional data.
- Exfiltrating sensitive information through methods such as taking screenshots, monitoring clipboard changes, and stealing documents.
Winos4.0 is adept at identifying a range of security tools installed on the system, including Kaspersky, Avast, Avira, Symantec, Bitdefender, Dr.Web, Malwarebytes, McAfee, AhnLab, ESET, Panda Security, and even the now-defunct Microsoft Security Essentials. By detecting these processes, the malware can ascertain whether it is operating in a monitored environment, allowing it to adjust its behavior or cease execution altogether.
As hackers persist in utilizing the Winos4.0 framework, the emergence of new campaigns underscores its entrenched role in malicious operations. Fortinet characterizes this framework as a formidable tool capable of exerting control over compromised systems, bearing functionality akin to Cobalt Strike and Sliver. For those concerned, indicators of compromise (IoCs) are detailed in reports from both Fortinet and Trend Micro, providing critical insights into this evolving threat landscape.
