Winos4.0 “Online Module” Staging Component Used in CleverSoar Campaign

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In late November 2024, the eSentire Threat Response Unit (TRU) identified an ongoing campaign involving a new and highly evasive malware installer dubbed “CleverSoar” by Rapid7 Labs. CleverSoar has been found targeting primarily Chinese and Vietnamese-speaking users via malicious installer packages distributed through poisoned web search results. The installer package deploys the advanced post-exploitation toolkit Winos4.0 framework and the Nidhogg rootkit.

As previously reported by Rapid7 Labs, a custom backdoor was identified, however we have found this is in fact a staging component of the Winos4.0 framework named “上线模块” which translates to “Online Module”.

Re-engineered from Gh0strat, Winos4.0 framework integrates several modular components and has become an increasingly prevalent threat targeting Windows users. The control panel for Winos4.0 features a vast amount of functionality, enabled by numerous plugins and can be seen in Figure 1 below.

Upon execution, the Winos4.0 stager parses a hard-coded configuration that is slightly obfuscated (reversed). Each configuration value is delimited by the “|” character (Figure 2).

The following table lists the configuration values that were identified in our analysis.

If the registry value “HKEY_CURRENT_USERConsoleIpDate” is present, it is parsed and used rather than the hard-coded configuration described above (Figure 3).

The stager then resolves the main C2 domain (p1) via the Windows API gethostname() and connects to the resolved address over UDP port 8000 using sockets. It is worth noting that TCP is also supported by the stager and packets look very similar.

Additionally, if after so many attempts communication fails with the main C2 server, the second and third servers are tried.

After the C2 is resolved and a connection is established over the port specified in the config (8000), the send function transmits the encryption key to the C2. This encryption key secures communications between the threat actor server and victim machine (Figure 4).

The first four bytes of the encryption key stream stem from a call to the Windows API timeGetTime(). The remaining bytes are hard-coded and vary between samples.

The algorithm used to encrypt/decrypt communication can be seen below in Figure 6, where each byte of the encryption key is transformed by a modulus with 0x1C8 and 0x36 is added to the resulting byte, then the byte is XOR’d with each byte of the request or response to encrypt/decrypt.

The following python code can be utilized to encrypt and decrypt communications with the C2 (sample response data and encryption key are included).

The next packet sent from the C2 to the stager is an MD5 of the final stage (Login Module).

Upon decoding the encrypted data using the python script, we can see the MD5 “c9cb53ecfed9c0deec10651b37c64103” of the Login Module is returned in the buffer (wide string formatted).

Next, the stager sends a request to the C2 to retrieve the Login Module “登录模块.dll”. The response has been decrypted and is shown below:

After receiving it, the stager deletes the registry key/value HKEY_LOCAL_MACHINESoftwareIpDates_info via the Windows API RegDeleteW() prior to executing the Login Module. Note, this fails in the event the stager is running without elevated privileges. The registry value is then updated with the latest configuration information, including C2 addresses/ports, version, comment, etc.

The Login Module’s entrypoint is then called as shown in the last line of the following figure. Although not configured to do so in this instance, the stager also supports executing the Login Module via the Process Hollowing technique [T1055.012] against the legitimate Windows system binary, “C:WindowsSystem32tracerpt.exe”.

The following table contains a list of all of the registry keys used by the stager and their associated purpose.

What did we do?

• Our team of 24/7 SOC Cyber Analysts isolated the affected host to contain the infection.
• We communicated what happened with the customer and helped them with remediation efforts.

What can you learn from this TRU Positive?

• The CleverSoar campaign is a sophisticated threat targeting Chinese and Vietnamese speaking users that is primarily distributed via driver assistant and game optimization applications in web search results.
• Across the threat landscape, MSI installers have become increasingly prevalent for initial access, highlighting the need to monitor these file types more closely.

Recommendations from the Threat Response Unit (TRU):

Indicators of Compromise

Full Research: https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign