November 6, 2024 at 04:28PM
Hackers are increasingly using the Winos4.0 framework to target Windows users, especially in China, through game-related apps. The malware executes a multi-step infection process, collects system data, and can evade security tools. Fortinet and Trend Micro have noted its potent capabilities, indicating a rise in malicious campaigns.
### Meeting Takeaways
1. **Threat Overview**: The Winos4.0 framework is increasingly targeting Windows users, primarily distributed through seemingly benign game-related applications.
2. **Framework Comparison**: Winos4.0 is comparable to established post-exploitation frameworks like Sliver and Cobalt Strike, indicating a high level of sophistication in its operation.
3. **Initial Attacks**: The threat actor, identified as Void Arachne/Silver Fox, previously attracted victims by offering modified software (VPNs and Google Chrome) tailored for the Chinese market.
4. **Evolution of Tactics**: According to Fortinet’s report, hackers are now leveraging games and game-related files to infect users.
5. **Infection Process**:
– **Stage 1**: Legitimate installers download a malicious DLL from “ad59t82g[.]com,” setting up the infection and creating persistence in the Windows Registry.
– **Stage 2**: Shellcode loads APIs, retrieves configuration data, and connects to the command-and-control (C2) server.
– **Stage 3**: Additional DLLs are retrieved to store information and update C2 addresses.
– **Stage 4**: The login module executes the main malicious actions, including data exfiltration via screenshots, clipboard monitoring, and document theft.
6. **Anti-Anti-Virus Measures**: Winos4.0 identifies various security tools and adjusts its behavior based on their presence, either altering its activity or ceasing execution if it detects monitoring.
7. **Long-Term Threat**: The consistent use of the Winos4.0 framework indicates its established role in malicious operations, underscoring its potency and continued relevance.
8. **Indicators of Compromise (IoCs)**: Detailed IoCs have been shared in Fortinet and Trend Micro reports, aiding in the detection and mitigation of this specific threat.
9. **Related Malware**: Mentions of other malicious entities like “SteelFox” and “Pygmy Goat” highlight ongoing vulnerabilities and threats faced by Windows users.
10. **Action Items**: Review the reports from Fortinet and Trend Micro for IoCs and recommended protective measures to mitigate the risks associated with Winos4.0 and related threats.