Security experts caution that a control-and-command (C&C) infrastructure named Winos is being dispersed through gaming-related software like setup tools, speed enhancers, and optimization applications.
“Winos 4.0 is an advanced harmful framework that provides extensive functionality, a solid structure, and effective management over many online endpoints for executing further operations,” Fortinet FortiGuard Labs disclosed in a report shared with The Hacker News. “Redesigned from Gh0st RAT, it includes several adaptable components, each dealing with unique roles.”
The dissemination of Winos 4.0 was first recorded back in June by Trend Micro and the KnownSec 404 Team. The cybersecurity organizations are monitoring the operation group under the monikers Void Arachne and Silver Fox.
These attacks are targeting Chinese-speaking individuals, exploiting unethical Search Engine Optimization (SEO) methods, social networks, and messenger services such as Telegram to disseminate the malicious software.
Fortinet’s most recent examination reveals that users who run the harmful game-related applications initiate a multi-stage contamination procedure that begins with retrieving a counterfeit BMP file from a distant server (“ad59t82g[.]com”) which is then decoded into a dynamic-link library (DLL).
The DLL is responsible for configuring the execution environment by downloading three files from the same server: t3d.tmp, t4d.tmp, and t5d.tmp, the first two of which are subsequently unpacked to retrieve the next series of payloads containing an executable (“u72kOdQ.exe”) and three DLL files, including “libcef.dll.”
“The DLL is labeled ‘学籍系统,’ which translates to ‘Student Registration System,’ indicating that the threat operator may be aiming at educational institutions,” Fortinet reported.
Subsequently, the binary is utilized to load “libcef.dll,” which extracts and triggers the second-stage shellcode from t5d.tmp. The malware then connects with its command-and-control (C2) server (“202.79.173[.]4”) utilizing the TCP protocol and retrieves another DLL (“上线模块.dll”).
The third-stage DLL, a component of Winos 4.0, fetches encoded data from the C2 server, a fresh DLL module (“登录模块.dll”) that collects system details, copies clipboard material, captures data from virtual currency wallet extensions like OKX Wallet and MetaMask, and enables a backdoor feature by anticipating additional instructions from the server.
Additionally, Winos 4.0 allows the distribution of extra add-ons from the C2 server that enable the malware to capture screenshots and share confidential documents from the compromised device.
“Winos 4.0 is a potent framework, akin to Cobalt Strike and Sliver, that can accommodate multiple operations and effortlessly govern compromised systems,” Fortinet remarked. “Threat operations exploit game-related applications to entice a target to download and execute the malware without caution and effectively seize control of the system.”
About Author
