Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework

Initial access

We observed multiple initial access vectors that the Void Arachne threat actor group uses to distribute malware across the web and through social media platforms. These distribution methods include an infrastructure staged for SEO poisoning and malicious package distribution across Chinese-language-themed Telegram channels.

SEO poisoning (T1608.006)

For this campaign, Void Arachne set up a web infrastructure that is used for SEO poisoning that deployed spear-phishing links (T1566.002) disguised as legitimate software installers to lure potential victims. These links are hosted on web servers disguised as legitimate websites so that the Void Arachne threat group can proceed to make them rank high on search engines via SEO poisoning. 

These links contain MSI installers for common software targeting Chinese-speaking users such as Google Chrome, Chinese language packs for popular software, and VPNs such as LetsVPN and 快連VPN (also known as Quick VPN or  Kuilian VPN). When these malicious MSI files or archive files are downloaded and executed, they would bootstrap the infection process. To the victim, it appears as if the intended software was installed. However, unbeknownst to them, additional malware is installed that beacons back to the attacker’s C&C server.

Because MSI files are bundled software installers, threat actors can include backdoors and additional malware within the file bundle that are executed without the end user’s knowledge during the installation process.

In this campaign, the Void Arachne group created subdomains of the domain webcamcn[.]xyz to act as C&C servers for the various  MSI files. As the campaign progressed, various subdomains were added to this root domain.

Targeting VPN-related technologies for spearphishing

Internet connectivity in the People’s Republic of China is subject to strict regulation through a combination of legislative measures and technological controls collectively known as the Great Firewall of China. Due to strict government control, VPN services and public interest in this technology have notably increased. This has, in turn, enhanced threat actors’ interest in exploiting the heightened public interest in software that can evade the Great Firewall and online censorship.

We discovered that the VPN “快連VPN” is a common phishing and SEO poisoning vector used to target Chinese-speakers and the broader East Asian community.  We have evidence of multiple distinct Chinese-speaking threat actors creating spear-phishing links and using SEO poisoning tactics by bundling this VPN with malware that includes Gh0st RAT and its variants.

Spearphishing through Telegram

We observed several Telegram channels, some of which had tens of thousands of Chinese-speaking users, advertising malicious archives and MSI files as an additional distribution method. The malicious packages are in what appear to be Simplified Chinese language packs for Telegram as well as various AI tools.

VPN-related Telegram channels

Like what’s being promoted in Void Arachne’s SEO poisoning campaign, we also observed the same malicious MSI files being shared in Chinese language-centric Telegram Channels. These channels are all related to VPN technology and the malicious MSI files were shared across several Telegram channels. 

This is like other campaigns we’ve observed wherein after threat actors conduct SEO-poisoning tactics, they then share links to these malicious sites or upload related files on social media and messaging applications.

Malicious Simplified Chinese language packs for Telegram

A common malicious software package we observed is what appears to be a Telegram language pack for the Simplified Chinese language. (Telegram does offer a translation of its app in Simple Chinese, which may be found here.)

Using infected language packs as an infection vector is an interesting method, especially for the Chinese language, which has an estimated 1.3 billion native speakers. Some applications require language packs for a more localized user experience in regional markets, leaving these users potentially vulnerable to this kind of attack.

Nudifier AI technologies promoted on Telegram channels

A concerning trend we have recently observed is the mass proliferation of nudifier applications that abuse AI to create  AI-generated nonconsensual deepfake pornography. These images and videos are often used in sextortion schemes for further abuse, victim harassment, and financial gain.

Figure 6 shows a screenshot of a video on the Void Arachne Telegram channel where a photo of a woman was used to generate a deepfake pornographic video of using AI technology.

We’ve observed that the threat actors pinned the malicious MSI file to the top of their Telegram channels to increase the chances of infecting users who are interested in using this type of technology.

The malicious installer files are advertised on social media and Telegram channels and are intended to lure unsuspecting victims, potentially even minors. Based on an initial Simplified Chinese to English translation of their advertisement via Google Translate, the malicious actors are also targeting young individuals who are still in school with their use of the phrase “female classmate.”

Just have appropriate entertainment and satisfy your own lustful desires. Do not send it to the other party or harass the other party. Once you call the police, you will be in constant trouble! AI takes off clothes, you give me photos and I will make pictures for you. Do you want to see the female classmate you yearn for, the female colleague you have a crush on, the relatives and friends you eat and live with at home? Do you want to see them naked? Now you can realize your dream, you can see them naked and lustful for a pack of cigarette money.

A Simplified Chinese to English translation of an advertisement that promotes nudifiers or deepfake pornography-generating software on the threat actor’s Telegram channel

Void Arachne also advertised AI technologies that could be used for virtual kidnapping, which is a novel deception campaign that uses misinformation through AI voice-alternating technology to pressure victims into paying ransom.

Voice-altering and face-swapping AI technologies promoted on Telegram

In addition to fake nudifier applications, we saw additional channels advertising face-swapping and voice-changing software. Like the rise of nudifiers and deepfake-generating applications, we have also observed the rise of AI-powered apps that have face-swapping and voice-altering capabilities.

We’ve found that malicious MSI files were shared and pinned on various AI video and voice manipulation Telegram channels.

Figure 10 shows a screen capture of a threat actor video posted on Void Arachne’s Telegram channel wherein the malicious actor can be seen using AI face- and voice-cloning technology on a WhatsApp call. Figure 12, on the other hand, shows a malicious voice-altering and face-swapping AI app installer on Telegram. 

The MSI file performs several tasks, such as creating scheduled tasks and configuring firewall parameters. Specifically, we have observed the creation and configuration of firewall rules via the OnFwConfig and OnFwInstall functions from NetFirewall.dll, which are designed to whitelist both inbound and outbound traffic associated with the malware for the public network profile only.

Figure 16 shows the configuration of the inbound firewall rule created to enable unrestricted access for the malware when connected to public networks, ensuring that the malware can operate without interruption.

It then identifies the encrypted data section within the file. The initial part of the file structure contains a flag set to 1, which indicates encryption. The loader uses the Rivest Cipher 4 (RC4) algorithm with the key “0x678E0B00” to decrypt this data. After decryption, the payload, which is now executable code, is mapped into the process’s memory space and executed.

The decryption key structure is defined as follows:

struct decryption_key_struct {
uint32_t memory_cleanup; // Flag for memory cleanup after decryption
uint32_t keySize;        // Size of the decryption key
char key[];              // Decryption key
};

The following code snippet demonstrates the core part of the loader logic:

The following snippet demonstrates the decrypted file 1 structure in memory:

netsh advfirewall firewall add rule name=”Safe1″ dir=in action=allow program=” C:Program Files (x86)Common FilesMicrosoft SharedVGXapp-3.4.0LetsPRO.exe”

Finally, the malware passes the execution to the Winos 4.0 stager in memory.

Winos 4.0 C&C framework overview

The final payload of this attack is the Winos 4.0 implant, which is written in C++ and targets the Windows platform. Winos has features that include file management, distributed denial of service (DDoS) using TCP/UDP/ ICMP/HTTP, full disk search, webcam control, and screen capturing. Additionally, it supports many functionalities including process injection and microphone recording, system and service management, remote shell access, and keylogging functionalities, further enhancing its ability to control and monitor the infected system.

The encryption algorithm begins by preparing a block of data and a key, adjusting the buffer to ensure that there is sufficient space to work with both. The key is then appended to the beginning of the data that needs to be encrypted. The algorithm proceeds with the encryption process, which involves a loop that processes each byte of data. For each byte, a specific byte from the key is selected and transformed by taking its modulus with a hardcoded value (0x1C8) and then adding another hardcoded value (0x36) to it. This transformed key is then used to XOR with the current byte of the data, resulting in the encrypted byte that replaces the original byte in the data. Every ten bytes, the algorithm resets the pointer to the beginning of the key, ensuring that the key is reused cyclically.

It should be noted that, based on our analysis, the value 0x1C8 remained the same in all the samples used in this campaign and several other attacks. However, we have observed that some variants found in the wild use different values, such as 0x7C5, indicating that this value might change from sample to sample. However, the value 0x36 remained the same in all the variants we analyzed.

Next, the C&C server responds with a magic value of “04” and a unique 16-byte identifier in UTF-16 format. In some Winos variants, this identifier is the MD5 hash of the DLL module that will be downloaded. Figure 30 is an example of the C&C server response to network traffic.

Figure 31 shows a decrypted packet data section.

The stager then sends the next-stage payload plugin, named 登录模块.dll (LoginModule.dll), to the C&C server.

Figure 33 shows the decrypted packet data section.

The C&C server response contains the following information:

• Module name
• Module hash
• Binary loader shellcode
• DLL module binary file

The stager then saves the decrypted C&C server response (the plugin and its configuration) into the Windows Registry. It uses the name “d33f351a4aeea5e608853d1a56661059” and stores it under the key path HKEY_CURRENT_USERConsole for 32-bit plugins or HKEY_CURRENT_USERConsole1 for 64-bit plugins.

Finally, to execute the module, the stager locates the shellcode section within the response received from the C&C server at offset 0xA44 and transfers control to the shellcode.

Winos main implant analysis

The 登录模块.dll (LoginModule.dll) is a fundamental component of Winos 4.0, serving as the core plugin manager for the system. This module is responsible for handling every action and command executed by the operator, which are transmitted via the C&C server as DLL plugins. These plugins extend the functionality of the implant.

Upon receiving the response from the C&C server, the implant stores these DLL plugins in the Windows registry paths HKEY_CURRENT_USERConsole for 32-bit systems or HKEY_CURRENT_USERConsole1 for 64-bit systems. Subsequently, the implant loads and uses these plugins to perform various tasks, enhancing its operational capabilities. This modular approach allows for a highly flexible and extensible framework, enabling the efficient execution of diverse functions as required by the operator.

Once the 登录模块.dll (LoginModule.dll) plugin is downloaded, the execution of this module is based on the previously mentioned configuration. The malware creates a thread to collect clipboard data and keystrokes. It also employs a specific mutex for this thread, which is named 测试备注  (Test Notes).

Next, the malware chooses one of the three available C&C configurations. Before initiating the socket, it checks whether the antianalysis feature is configured to run. If this feature is configured, the malware verifies the presence of monitoring software by inspecting the window titles of running processes. If such software is detected, the malware enters sleep mode.

Below is a list of monitoring software that the malware detects:

• 流量（Flow）             
• TaskExplorer
• Wireshark
• Fiddler
• Process
• ApateDNS
• CurrPorts
• 任务管理器（Task manager）
• 火绒（Tinder）
• 提示符（Prompt）
• Malwarebytes
• Port
• 资源监视器（Resource monitor）
• Capsa
• TCPEye
• Metascan
• 网络分析（Network analysis）
• Sniff

The malware collects system information from an infected machine, including the IP address, computer name, antivirus software, operating system details, and hardware ID (HWID).

Figure 40 shows the initial packet that the malware sends.