Criminals use game-related applications to infect Windows systems with a malicious software framework called Winos4.0 that gives the attackers full control over compromised machines.
The malware, which appears to have been rebuilt from Gh0strat, consists of several components that each perform different functions, according to Fortinet.
The security shop discovered “multiple” samples hidden in the game installation tools, speed boosters and optimization tools. Fortinet says it’s similar to Cobalt Strike and Sliver – both legitimate red-teaming tools that are also favorites of criminals who use cracked versions to deploy ransomware and other malware, along with lateral movement, cyber espionage and other malicious acts.
Winos4.0 has been used in multiple attack campaigns, including Silver Fox, a suspected Chinese government-affiliated crew, we’re told.
“The entire attack chain involves multiple encrypted data and many C2 communications to complete the injection,” Fortinet warned. “Users should be aware of the source of any new application and download the software only from qualified sources.”
The attack starts with a gaming-related lure. Once the victim runs the application, it downloads a fake BMP file of “ad59t82g[.]com” that starts the infection process.
The first stage is a DLL file that sets up the execution environment, injects shellcode, and establishes persistence. The DLL is called “学籍系统”, which means “student registration system”, indicating that the attacker may be targeting organizations in the education sector.
In the second phase, the shellcode loads APIs, retrieves the command-and-control address (C2), and establishes communication with the attacker-controlled server.
Then a DLL file named “上线模块” downloads encrypted data from the C2 server and stores it in the registry “HKEY_CURRENT_USER \\Console\\0\\ d33f351a4aeea5e608853d1a56661059.”
Finally, in the fourth stage, the DLL file “登录模块” contains the primary payload that performs all malicious activities on the infected machine.
It collects information about the infected host, including its IP address, computer name, operating system, CPU, disk, network card, folder name, and time.
This module also checks if there is any system monitoring related software running on the machine and if an antivirus device is present.
It searches for a crypto wallet extension and stores this information, while also taking screenshots, stealing documents and monitoring user activity.
Furthermore, in the final phase, the module creates a permanent backdoor to the C2 server, allowing the attacker to maintain a long-term presence on the victim’s machine. ®