Article Details
Scrape Timestamp (UTC): 2024-11-06 21:27:52.989
Original Article Text
Click to Toggle View
Hackers increasingly use Winos4.0 post-exploitation kit in attacks. Hackers are increasingly targeting Windows users with the malicious Winos4.0 framework, distributed via seemingly benign game-related apps. The toolkit is the equivalent of Sliver and Cobalt Strike post-exploitation frameworks and it was documented by Trend Micro this summer in a report on attacks against Chinese users. At the time, a threat actor tracked as Void Arachne/Silver Fox lured victims with offers of various software (VPNs, Google Chrome browser) modified for the Chinese market that bundled the malicious component. A report today from cybersecurity company Fortinet indicates an evolution in the activity, with hackers now relying on games and game-related files in their continued targeting of Chinese users. When the seemingly legitimate installers are executed, they download a DLL file from “ad59t82g[.]com” to initiate a multi-step infection process. In the first stage, a DLL file (you.dll) downloads additional files, sets up the execution environment, and establishes persistence by adding entries in the Windows Registry. In the second stage, injected shellcode loads APIs, retrieves configuration data, and establishes a connection to the command-and-control (C2) server. In the third phase, another DLL (上线模块.dll) retrieves extra encoded data from the C2 server, stores it in the registry at "HKEY_CURRENT_USER\\Console\\0" and updates the C2 addresses. In the last stage of the attack chain, the login module (登录模块.dll) is loaded, which performs the primary malicious actions: Winos4.0 checks for a variety of security tools on the system, including Kaspersky, Avast, Avira, Symantec, Bitdefender, Dr.Web, Malwarebytes, McAfee, AhnLab, ESET, Panda Security, and the now discontinued Microsoft Security Essentials. By identifying these processes, the malware determines if it is running in a monitored environment and adjusts its behavior accordingly, or halts execution. Hackers have continued using the Winos4.0 framework for several months now, and seeing new campaigns emerging is an indication that its role in malicious operations appears to have solidified. Fortinet describes the framework as a powerful one that can be used to control compromised systems, with functionality similar to Cobalt Strike and Sliver. Indicators of compromise (IoCs) are available in the reports from Fortinet and Trend Micro.
Daily Brief Summary
Hackers are increasingly using the Winos4.0 framework to target Windows users through game-related apps.
This malicious framework facilitates post-exploitation activities similar to well-known tools like Sliver and Cobalt Strike.
Originally documented by Trend Micro, the Winos4.0 was used by threat actor Void Arachne/Silver Fox to distribute modified software in China.
Fortinet's recent report indicates an evolution in hacker tactics, now leveraging games to deploy malware.
The infection process includes multiple stages beginning with downloading a DLL file, establishing persistence, and connecting to a command-and-control (C2) server.
The malware checks for the presence of specific security tools on the system to determine if it needs to adjust its behavior or terminate itself, enhancing its stealth.
The ongoing use and adaptation of Winos4.0 suggest its increasing role in malicious cyber operations.
Details including Indicators of Compromise (IoCs) are available in cybersecurity reports from both Fortinet and Trend Micro.