Individuals fluent in Chinese are the focal point of an unprecedented threat cluster identified as Void Arachne. This group uses malevolent Windows Installer (MSI) packages for virtual private networks (VPNs) to deploy a command-and-control (C&C) framework named Winos 4.0.
Trend Micro analysts Peter Girnus, Aliakbar Zahravi, and Ahmed Mohamed Ibrahim mentioned in a report today that “The scheme also features tampered MSI files containing nudifiers and deepfake pornography-producing software, in addition to AI voice and facial technologies.” The dissemination of malware is achieved through [Search Engine Optimization] manipulation, as well as through social media and messaging platforms.
The cybersecurity company, which unearthed this new threat actor group in early April 2024, stated that the assaults involve the promotion of popular applications such as Google Chrome, LetsVPN, QuickVPN, and a Telegram language package for Simplified Chinese to propagate Winos. Another attack strategy involves distributing compromised setups through Chinese-themed Telegram channels.
The hyperlinks, obtained through illicit SEO techniques, point to infrastructure specifically arranged by the malicious party to present the installers in the guise of ZIP files. In instances targeting Telegram channels, the MSI installers and ZIP archives are directly stored on the messaging platform.
The utilization of a malevolent Simplified Chinese language pack is intriguing, notably due to its extensive attack surface. Various software offerings claim to provide functionalities for generating non-consensual deepfake adult content for potential use in sextortion operations, AI innovations potentially exploitable for online kidnapping, as well as tools for altering voices and faces.
The installers are crafted to alter firewall configurations, thus permitting inbound and outbound network traffic related to the malware when connected to public networks.
This installer also introduces a loader that decrypts and launches a secondary payload in memory, triggering a Visual Basic Script (VBS) to establish persistence on the system. This, in turn, leads to the execution of an undisclosed batch script and the deployment of the Winos 4.0 C&C framework via a staging module that establishes communication with a remote server.
Implemented in C++, Winos 4.0 is designed to conduct file operations, perform distributed denial-of-service (DDoS) attacks using various protocols, execute disk searches, control webcams, capture screenshots, record audio, record keystrokes, and provide remote shell access.
Highlighting the complexity of this backdoor is a modular architecture that encompasses 23 specific components tailored for 32-bit and 64-bit systems. Additionally, the functionality can be expanded through external add-ons integrated by the threat actors based on their requirements.
Central to the WinOS framework are techniques to identify prevalent security software in China, alongside serving as the main orchestrator for loading functionalities, clearing system logs, and retrieving and executing additional payloads from specific URLs.
“Chinese internet access is tightly governed through a mix of regulations and technology controls collectively referred to as the Great Firewall of China,” emphasized the researchers.
“The growing interest in VPN services and the limitations imposed by governmental entities in China have resulted in an upsurge of public interest in this technology. Consequently, threat actors are increasingly exploiting this heightened curiosity by distributing software that helps bypass the Great Firewall and online restrictions.”
About Author
