Hackers are increasingly focusing their efforts on Windows users through the malicious Winos4.0 framework, which is disseminated via seemingly harmless game-related applications. This toolkit serves a similar purpose to the Sliver and Cobalt Strike post-exploitation frameworks and was highlighted in a report by Trend Micro this summer, which detailed attacks targeting Chinese users.
At that time, a threat actor identified as Void Arachne/Silver Fox attracted victims by offering various software products, such as VPNs and the Google Chrome browser, tailored for the Chinese market, which included the malicious component. A recent report from cybersecurity firm Fortinet reveals a shift in tactics, with hackers now utilizing games and game-related files to continue their assault on Chinese users.
When these ostensibly legitimate installers are executed, they download a DLL file from “ad59t82g[.]com,” initiating a multi-step infection process. In the initial phase, a DLL file (you.dll) downloads additional files, prepares the execution environment, and ensures persistence by modifying the Windows Registry. The subsequent phase involves injected shellcode that loads APIs, retrieves configuration data, and establishes a connection to the command-and-control (C2) server.
- In the final phase of the attack sequence, the login module (登录模块.dll) is activated, executing the core malicious functions, which include:
- Collecting information regarding the system and environment, such as the IP address, operating system specifications, and CPU details.
- Assessing the presence of anti-virus and monitoring applications operating on the host system.
- Acquiring information about particular cryptocurrency wallet extensions utilized by the victim.
Establishing a persistent backdoor connection to the command and control (C2) server, enabling the attacker to send commands and obtain further data.
Exfiltration of data is achieved through methods such as capturing screenshots, tracking changes to the clipboard, and appropriating documents. The Winos4.0 framework conducts checks for a range of security software present on the system, which includes Kaspersky, Avast, Avira, Symantec, Bitdefender, Dr.Web, Malwarebytes, McAfee, AhnLab, ESET, Panda Security, and the now obsolete Microsoft Security Essentials. By detecting these processes, the malware assesses whether it is operating within a monitored environment and modifies its actions accordingly, or ceases execution altogether.
The continued utilization of the Winos4.0 framework by hackers over the past several months, along with the emergence of new campaigns, suggests that its significance in malicious activities has become firmly established. Fortinet characterizes this framework as a robust tool capable of managing compromised systems, exhibiting functionalities akin to those of Cobalt Strike and Sliver. Indicators of compromise (IoCs) can be found in the reports published by Fortinet and Trend Micro.
