Hackers Increasingly Use Winos 4.0 Post-Exploitation Kit in Attacks Against Gamers

Summary: Hackers are increasingly using the Winos4.0 framework to target Windows users, particularly in China, by distributing it through seemingly harmless game-related applications. This malicious toolkit functions similarly to other post-exploitation frameworks, allowing attackers to maintain persistent control over compromised systems.

Threat Actor: Void Arachne/Silver Fox | Void Arachne/Silver Fox
Victim: Chinese Users | Chinese Users

Key Point :

  • Winos4.0 is distributed through modified game-related apps that appear legitimate.
  • The infection process involves multiple stages, including downloading additional files and establishing a connection to a command-and-control server.
  • The malware collects sensitive information, checks for security tools, and maintains a persistent backdoor for further exploitation.
  • Indicators of compromise (IoCs) related to Winos4.0 are documented by Fortinet and Trend Micro.

Hackers increasingly use Winos4.0 post-exploitation kit in attacks

Hackers are increasingly targeting Windows users with the malicious Winos4.0 framework, distributed via seemingly benign game-related apps.

The toolkit is the equivalent of Sliver and Cobalt Strike post-exploitation frameworks and it was documented by Trend Micro this summer in a report on attacks against Chinese users.

At the time, a threat actor tracked as Void Arachne/Silver Fox lured victims with offers of various software (VPNs, Google Chrome browser) modified for the Chinese market that bundled the malicious component.

A report today from cybersecurity company Fortinet indicates an evolution in the activity, with hackers now relying on games and game-related files in their continued targeting of Chinese users.

Malicious files infecting users with Winos4.0
Malicious files infecting users with Winos4.0
Source: Fortinet

When the seemingly legitimate installers are executed, they download a DLL file from “ad59t82g[.]com” to initiate a multi-step infection process.

In the first stage, a DLL file (you.dll) downloads additional files, sets up the execution environment, and establishes persistence by adding entries in the Windows Registry.

In the second stage, injected shellcode loads APIs, retrieves configuration data, and establishes a connection to the command-and-control (C2) server.

In the third phase, another DLL (上线模块.dll) retrieves extra encoded data from the C2 server, stores it in the registry at “HKEY_CURRENT_USERConsole” and updates the C2 addresses.

Malware modules added onto the Registry
Malware modules added onto the Registry
Source: Fortinet

In the last stage of the attack chain, the login module (登录模块.dll) is loaded, which performs the primary malicious actions:

  • Collects system and environment information (e.g., IP address, OS details, CPU).
  • Checks for anti-virus and monitoring software running on the host.
  • Gathers data on specific cryptocurrency wallet extensions used by the victim.
  • Maintains a persistent backdoor connection to the C2 server, allowing the attacker to issue commands and retrieve additional data.
  • Exfiltrates data after taking screenshots, monitoring for clipboard changes, and stealing documents.
Complete Winos4.0 attack chain
Complete Winos4.0 attack chain
Source: Fortinet

Winos4.0 checks for a variety of security tools on the system, including Kaspersky, Avast, Avira, Symantec, Bitdefender, Dr.Web, Malwarebytes, McAfee, AhnLab, ESET, Panda Security, and the now discontinued Microsoft Security Essentials.

By identifying these processes, the malware determines if it is running in a monitored environment and adjusts its behavior accordingly, or halts execution.

Hackers have continued using the Winos4.0 framework for several months now, and seeing new campaigns emerging is an indication that its role in malicious operations appears to have solidified.

Fortinet describes the framework as a powerful one that can be used to control compromised systems, with functionality similar to Cobalt Strike and Sliver. Indicators of compromise (IoCs) are available in the reports from Fortinet and Trend Micro.

Source: https://www.bleepingcomputer.com/news/security/hackers-increasingly-use-winos40-post-exploitation-kit-in-attacks