Cybersecurity researchers at Fortinet’s FortiGuard Labs have unveiled a sophisticated malware campaign that cunningly disguises itself as benign gaming applications, targeting users of Microsoft Windows. This advanced malware framework, named Winos4.0, bears similarities to established threats like Cobalt Strike and Sliver.
Upon downloading and executing these seemingly harmless apps, users unwittingly invite Trojan horses into their systems, which subsequently download and install the Winos4.0 framework. The findings, shared with Hackread.com prior to their official publication on November 6, reveal multiple instances of this malware embedded within various gaming-related applications, such as installation tools, speed boosters, and optimization utilities. A deeper analysis of the decoded DLL file suggests a particular focus on the education sector, as indicated by its file description, “校园政务” (Campus Administration).
Understanding the Attack Mechanism
The Winos4.0 framework boasts a robust architecture and extensive functionality, allowing for efficient control over numerous online endpoints. It is a re-engineered version of Gh0stRat, a potent remote access trojan developed by the Chinese hacking group C. Rufus Security Team back in 2008. This new framework comprises several modular components, each designed to perform specific tasks, and has already been utilized in various attack campaigns, including Silver Fox.
The attack unfolds in multiple stages, commencing with the retrieval of a deceptive BMP file from a remote server. This file undergoes XOR decoding, leading to the extraction of a DLL file named “you.dll.” This file is subsequently loaded through its export function “you,” propelling the attack into its next phase.
Following this, “you.dll” downloads three files from a designated remote path after creating a folder with a randomly generated name. One of these files is extracted to reveal seemingly innocuous files (u72kOdQ.exe, MSVCP140.dll, and VCRUNTIME140.dll), while another exposes the main malicious file, “libcef.dll.” The extracted files then facilitate the loading of “libcef.dll,” which injects shellcode and decodes another file using an XOR key.
The injected shellcode activates APIs and retrieves configuration data to establish a connection via the TCP protocol. It sends a string to the command and control (C2) server, which responds with encrypted data. This data is decrypted using XOR, allowing for the execution of a module (上线模块.dll) that downloads additional data from the C2 server and records its address in the registry, setting the stage for the attack’s final phase.
In the concluding stage, the 登录模块.dll file is launched, executing a series of tasks that include enabling crash restarts, capturing clipboard content, monitoring window title bars for specific applications, gathering system information, checking for cryptocurrency wallet extensions, assessing anti-virus software, sending login messages, and maintaining a connection to the C2 server through regular heartbeats.
The capabilities of Winos4.0 underscore its potential as a powerful framework for controlling compromised systems. To safeguard against such threats, researchers advise users to remain vigilant about the sources of new applications and to download software exclusively from reputable sources.
Users are encouraged to avoid downloading applications from third-party app stores and websites. Prior to executing any new files, it is prudent to scan URLs and downloaded content on platforms like VirusTotal. Regular device scans, particularly after downloading new files, are essential. In professional environments, it is advisable to restrict systems from downloading applications on workstations.
RELATED TOPICS
- Android Malware Poses as WhatsApp and Instagram to Steal Data
- TodoSwift Malware Targets macOS, Disguised as Bitcoin PDF App
- Octo2 Malware Uses Fake NordVPN Apps to Infect Android Phones
- SideWinder hackers hit Android users with malware apps on Play Store
- New BingoMod Android Malware Posing as Security Apps, Wipes Data
