Threat Campaign Distributes Winos4.0 via Gaming App

Summary:

Winos4.0 is a sophisticated malware framework that compromises Microsoft Windows systems, particularly targeting the education sector through malicious game-related applications. It utilizes a multi-stage attack process to gain control over infected machines, enabling extensive data collection and remote command execution.

Keypoints:

  • Winos4.0 is built on the Gh0strat framework.
  • Targets Microsoft Windows platforms, impacting users in the education sector.
  • Disguised as gaming applications to lure victims.
  • Employs a multi-stage infection process involving DLLs and shellcode.
  • Utilizes command and control (C2) communication for further actions.
  • Detected and blocked by FortiGuard Antivirus solutions.

  • MITRE Techniques

  • Initial Access (T1071): Uses game-related applications for initial access.
  • Execution (T1203): Executes malicious code through DLL injection.
  • Persistence (T1547): Modifies registry keys to maintain persistence.
  • Command and Control (T1071): Establishes communication with C2 servers.
  • Data Collection (T1005): Gathers system information and clipboard data.
  • Exfiltration (T1041): Sends collected data back to the C2 server.

  • Affected Platforms: Microsoft Windows
    Impacted Users: Microsoft Windows
    Impact: Compromised machines are under the control of the threat actor
    Severity Level: Medium

    Winos4.0 is an advanced malicious framework that offers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute further actions. Rebuilt from Gh0strat, it includes several modular components, each handling distinct functions. Winos4.0 has been deployed in various attack campaigns, such as Silver Fox.

    FortiGuard Labs has identified multiple samples of this malware hidden within gaming-related applications, including installation tools, speed boosters, and optimization utilities. Analysis of the decoded DLL file reveals a potential targeting of the education sector, as indicated by its file description, “校园政务” (Campus Administration). In this blog post, we will delve into a comprehensive technical analysis of a campaign that leveraged these applications to deliver Winos4.0.

    Figure 1: Attack chain


    Figure 1: Attack chain

    Game Application

    Initial access is achieved by distributing game-related applications designed for optimization or installation.

    Figure 2: Malicious game-related applications


    Figure 2: Malicious game-related applications

    After the victim runs the application, it retrieves a fake BMP file from the server ad59t82g[.]com. The file is then XOR decoded, extracting the DLL “you.dll,” which is loaded through its export function “you” to proceed to the next stage.

    Figure 3: Downloaded “lon2.bmp”


    Figure 3: Downloaded “lon2.bmp”

    Figure 4: XOR-decoded “lon2.bmp” gets “you.dll”


    Figure 4: XOR-decoded “lon2.bmp” gets “you.dll”

    First Stage: “you.dll”

    This DLL file is responsible for setting up the execution environment. It begins by downloading three files from the same remote path “hxxp://ad59t82g[.]com/1/” used in the previous stage. A folder with a random name is then created in “C:Program Files (x86),” where” text.bmp” is saved as “t3d.tmp,” “d.bmp” as “t4d.tmp,” and “t2.bmp” as “t5d.tmp.”

    Figure 5: Creating folder with a random string


    Figure 5: Creating folder with a random string

    It then extracts “t3d.tmp” using the password “lalala123%,” obtaining three clean files: u72kOdQ.exe, MSVCP140.dll, and VCRUNTIME140.dll. Next, it decodes “t4d.tmp” with XOR key 0x67080000 to reveal the main malicious file, “libcef.dll.” The purpose of the three extracted files is to load “libcef.dll” to inject shellcode. The DLL is named “学籍系统,” meaning “Student Registration System,” suggesting that the threat actor may be targeting educational organizations.

    Figure 6: Unzipped and xor-decoded files


    Figure 6: Unzipped and xor-decoded files

    Figure 7: libcef.dll


    Figure 7: libcef.dll

    Next, It checks for the presence of a window with the specific class name “Q360SafeMonClass.” If the window is not found, it proceeds to establish persistence by adding the executable “u72kOdQ.exe” to the registry key “SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN” under the name “WINDOWS.”

    Figure 8: Added registry


    Figure 8: Added registry

    It then loads the “Shell32” library and calls “ShellExecuteA” to execute u72kOdQ.exe.

    Figure 9: Executing the application “u72kOdQ.exe”


    Figure 9: Executing the application “u72kOdQ.exe”

    If the window “Q360SafeMonClass” is present, it transfers to setting a scheduled task. It downloads another encoded file, “hxxp://ad59t82g[.]com/1/h[.]bmp.” The XOR-decoded result is an MSIL file embedded with a Base64-encoded command. The decoded command intends to create a scheduled task named “Window Defender Uqdata” that executes a specified command (execute “u72kOdQ.exe”) starting one minute from the current time, with a repetition interval of one minute and configured to restart up to three times if necessary. The task runs with the highest privileges (RunLevel 1).

    Figure 10: XOR-decoded “h.bmp”


    Figure 10: XOR-decoded “h.bmp”

    Figure 11: Base64-decoded command


    Figure 11: Base64-decoded command

    Following the persistence setup, the malicious DLL “libcef.dll” decodes “t5d.tmp” using an XOR key 0x67080000. Once decoded, it injects the extracted shellcode, preparing it to execute actions within the compromised environment.

    Figure 12: XOR-decoded “t5d.tmp” and inject shellcode


    Figure 12: XOR-decoded “t5d.tmp” and inject shellcode

    Second Stage: shellcode

    The shellcode dynamically loads APIs, as shown in Figure 13.

    Figure 13: Resolved APIs


    Figure 13: Resolved APIs

    The shellcode retrieves configuration data by searching for the marker string “codecode,” a change from the previous version, which used the string “codemark” for this purpose.

    Figure 14: Data in “codecode”


    Figure 14: Data in “codecode”

    Figure 15: Configuration


    Figure 15: Configuration

    The malware retrieves the C2 address 202[.]79[.]173[.]4 and port 80, establishing a connection using the TCP protocol (t1:1). It sends “x32” to the C2 for module downloading, which serves to check in the victim. The downloaded module consists of encrypted data with a size of 0x4B00E.

    Figure 16: Retrieved X32 online module from C2


    Figure 16: Retrieved X32 online module from C2

    The data is decrypted using a simple XOR operation with the key value of 0x2B. The decrypted 32-bit module is “上线模块.dll.” It is then executed, leading to the next stage.

    Figure 17: Export table for the online module (上线模块)


    Figure 17: Export table for the online module (上线模块)

    The modules described in the following sections are all components of Winos4.0. They facilitate online functionality, including logging in and checking in with the server. Additionally, they enable the retrieval of C2 commands and downloading modules.

    Third Stage: 上线模块.dll

    The entry first calls a function to check whether the value of the registry key “HKEY_CURRENT_USERConsoleIpDate” is valid. This value will later be used to update the main server address in the subsequent payload downloaded via C2.

    Figure 18: Update configuration


    Figure 18: Update configuration

    Once it confirms that it can reach the C2 server, it then downloads encoded data from its C2. It saves the XOR-decoded results in the registry “HKEY_CURRENT_USER Console d33f351a4aeea5e608853d1a56661059.”

    Figure 19: Get login module (key 0x2b181a012b2b2b2b2bf5)


    Figure 19: Get login module (key 0x2b181a012b2b2b2b2bf5)

    Figure 20: Save login module (登录模块) in the registry


    Figure 20: Save login module (登录模块) in the registry

    Once the module is configured for the next stage, the C2 server address information is recorded in the registry key “HKEY_LOCAL_MACHINESOFTWAREIpDates_info.”

    Figure 21: Saved C2 information in the registry


    Figure 21: Saved C2 information in the registry

    Figure 22: Write memory and resume thread


    Figure 22: Write memory and resume thread

    Final Stage: 登录模块.dll

    This module is responsible for information collection, environment checks, and core backdoor functionality. Its functions include:

    • Enables crash restart (SetUnhandledExceptionFilter).
    • Creates a new thread to record the clipboard.

    Figure 23: Getting clipboard data


    Figure 23: Getting clipboard data

    • Checks the text of the window’s title bar: Examines whether the following system monitoring-related software is present: “流量,” “ApateDNS,” “Malwarebytes,” “TCPEye,” “TaskExplorer,” “CurrPorts,” Port,” “Metascan,” “Wireshark,” “任务管理器,” “资源监视器,” “网络分析,” “Fiddler,” “火绒,” “Capsa,” “Sniff,” “Process,” and “提示符.”

    Figure 24: Checking applications related to system monitoring


    Figure 24: Checking applications related to system monitoring

    • Collects system information: It gathers host information, including the IP address, computer name, operating system, CPU, disk, network card, directory name, and time.

    Figure 25: Grabbing system information


    Figure 25: Grabbing system information

    • Checks for a crypto wallet extension: This function verifies the existence of a specific Chrome crypto wallet extensions folder: OKX Wallet and MetaMask. Upon confirming its existence, it gathers and stores related information.

    Figure 26: Getting specific Chrome extensions


    Figure 26: Getting specific Chrome extensions

    • Checks if an Anti-Virus appliance is present: It retrieves the running process to see if matches the specified executable name, including “360Safe.exe,” “360Tray.exe,” “360tray.exe,” “ZhuDongFangYu.exe,” “360sd.exe,” “kxetray.exe,” “KSafeTray.exe,” “kscan.exe,” “kwsprotect64.exe,” “kxescore.exe,” “QQPCRTP.exe,” “QMDL.exe,” “QMPersonalCenter.exe,” “QQPCPatch.exe,” “QQPCRealTimeSpeedup.exe,” “QQPCTray.exe,” “QQRepair.exe,” “HipsTray.exe,” “HipsMain.exe,” “HipsDaemon.exe,” “BaiduSd.exe,” “baiduSafeTray.exe,” “KvMonXP.exe,” “RavMonD.exe,” “QUHLPSVC.EXE,” “mssecess.exe,” “cfp.exe,” “SPIDer.exe,” “acs.exe,” “V3Svc.exe,” “avgwdsvc.exe,” “f-secure.exe,” “avp.exe,” “avpui.exe,” “Mcshield.exe,” “egui.exe,” “knsdtray.exe,” “TMBMSRV.exe,” “avcenter.exe,” “ashDisp.exe,” “rtvscan.exe,” “remupd.exe,” “vsserv.exe,” “PSafeSysTray.exe,” “ad-watch.exe,” “K7TSecurity.exe,” and “UnThreat.exe.”
    • Sends a login message: It encodes environment information data with the XOR key and sends it to the C2 server.

    Figure 27: Send encoded system information to C2


    Figure 27: Send encoded system information to C2

    • Maintains connection to the C2 server with heartbeats and waits for further commands.

    During this campaign’s attack, we retrieved two plugins from the command and control (C2) server, which are stored in the registry under the key “HKEY_CURRENT_USERConsole.” These modules are specifically designed to capture screenshots and manage documents. Upon receiving directives from the C2 server, these plugins facilitate uploading documents from the compromised system, enabling the attacker to gather sensitive information and discreetly monitor activities.

    Figure 28: All modules are saved in the registry


    Figure 28: All modules are saved in the registry

    Figure 29: Module for capturing screens


    Figure 29: Module for capturing screens

    Figure 30: Module for managing documents


    Figure 30: Module for managing documents

    Conclusion

    Winos4.0 is a powerful framework, similar to Cobalt Strike and Sliver, that can support multiple functions and easily control compromised systems. Threat campaigns leverage Game-related applications to lure a victim to download and execute the malware without caution and successfully deploy deep control of the system. The entire attack chain involves multiple encrypted data and lots of C2 communication to complete the injection. Users should be aware of any new application’s source and only download the software from qualified sources.

    Fortinet Protections

    The malware described in this report is detected and blocked by FortiGuard Antivirus as:

    W32/Agent.HUJ!tr.dldr
    W32/Agent.NJD!tr
    Data/Agent.3A23!tr
    W32/Agent.501F!tr
    MSIL/Agent.93AB!tr
    W32/Agent.DCO!tr
    W32/Agent.SS!tr

    FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

    The FortiGuard Web Filtering Service blocks the C2 servers and downloads URLs.

    We also suggest that organizations go through Fortinet’s free training module: Fortinet Certified Fundamentals (FCF) in Cybersecurity. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

    FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

    If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

    IoC

    URL

    hxxp://ad59t82g[.]com/1/lon2[.]bmp
    hxxp://ad59t82g[.]com/1/text[.]bmp
    hxxp://ad59t82g[.]com/1/d[.]bmp
    hxxp://ad59t82g[.]com/1/t2[.]bmp
    hxxp://ad59t82g[.]com/1/h[.]bmp

    IP Address/Hostname

    ad59t82g[.]com
    202[.]79[.]173[.]4

    SHA256Hash

    c9817d415d34ea3ae07094dae818ffe8e3fb1d5bcb13eb0e65fd361b7859eda7 NetDiagnotor.exe (天谕客户端检测工具)
    284cf31ebb4e7dc827374934ad0726f72e7aaef49cadc6aa59d2a2ff672d3fe8 gpatchex.exe (梦幻西游更新程序)
    b2a3aaf4eb4deb85462e1ee39c84caf2830091c1bff8014ad13147897b25e24c Duoyi (战盟安装程序)
    b763d77b7aaa83d6c4a9e749cd3c7638127e755d3dc843b15b6c4afce1f468b5 劲舞团联合登录器.exe (窗口化)
    dcdbc3b246233befa25b67909a01b835f1875f4047875ef13f1b801cd2da6fcd Duoyi (战盟安装程序)
    3fae0495fd0acc7722c2482c0ef3c6ab9ee41acbcaac46a8933c7b36b8896378 crashreporter.exe
    f41236ab5ceffc5379fcf444de358cbc6f67beb31d0e0fd3f7ed0f501eb740ff yxqxunyou.exe (英雄联盟优化)
    80b1d6411e29e51e54f20f46856d31b28e087e9244693e65d022b680c4ba00ce 劲舞团联合登录器.exe (窗口化)
    1a48347f5fc7c63cc03f30810f961133bd3912caf16ac403e11bc3491117181d manualupdate.exe (天谕手动更新工具)
    8748bb7512f16f8122779171686abe0fa0060f1126298290e240457dc90d0aa7 MatRepair.exe (反恐行动客户端修复程序)
    1354796b44239eef177431584848029161c232401a9580481dbfb5196465250e you.dll
    bef32532923903b12f04b54dd06ec81661f706c3b1397bc77c45492db3919248 you.dll
    033965f3063bc2a45e5bd3a57ffce098b9308668d70b9b3063f066df5f3e55dd you.dll
    922512203c7b9fa67e8db2f588ff4945f63e20c4bc0aafccdba749a442808ace you.dll
    04edb6585118d09205ee693a54249ed68ebbf68b3fc3d711d2aa0c815b7b3a23 shellcode
    51c7f320b95a64bcff050da86c7884bb4f89a5d00073d747f0da7345c8a4501f 学籍系统.dll
    ff0c28c81cd0afd78f78c79863c9f4c8afd9d3877a213dfc2dbb55360b7d93ab ConsoleApp2.exe
    a27dc6e5aea0c3168117cfde2adb01f73f20881fc6485b768915216c46115064 差异屏幕.vll
    8f0079a41a262536f502b4b57473effd6ab7955bc2d6e99e0910df18e990a9f6 文件管理.vll
    37104f3b3646f5ffc8c78778ec5fdc924ebb5e5756cb162c0e409d24bedf406d 上线模块.dll (online module)
    a30b68ed39c1517d10b747c2fcd7a72cb12dc8f434203243e7c50df0e56d17d0 登录模块.dll (login module)

    Source: Original Post