Hackers increasingly use Winos4.0 post-exploitation kit in attacks

Hackers increasingly use Winos4.0 post-exploitation kit in attacks

November 6, 2024 at 04:28PM

Hackers are increasingly using the Winos4.0 framework to target Windows users, especially in China, through game-related apps. The malware executes a multi-step infection process, collects system data, and can evade security tools. Fortinet and Trend Micro have noted its potent capabilities, indicating a rise in malicious campaigns.

### Meeting Takeaways

1. **Threat Overview**: The Winos4.0 framework is increasingly targeting Windows users, primarily distributed through seemingly benign game-related applications.

2. **Framework Comparison**: Winos4.0 is comparable to established post-exploitation frameworks like Sliver and Cobalt Strike, indicating a high level of sophistication in its operation.

3. **Initial Attacks**: The threat actor, identified as Void Arachne/Silver Fox, previously attracted victims by offering modified software (VPNs and Google Chrome) tailored for the Chinese market.

4. **Evolution of Tactics**: According to Fortinet’s report, hackers are now leveraging games and game-related files to infect users.

5. **Infection Process**:
– **Stage 1**: Legitimate installers download a malicious DLL from “ad59t82g[.]com,” setting up the infection and creating persistence in the Windows Registry.
– **Stage 2**: Shellcode loads APIs, retrieves configuration data, and connects to the command-and-control (C2) server.
– **Stage 3**: Additional DLLs are retrieved to store information and update C2 addresses.
– **Stage 4**: The login module executes the main malicious actions, including data exfiltration via screenshots, clipboard monitoring, and document theft.

6. **Anti-Anti-Virus Measures**: Winos4.0 identifies various security tools and adjusts its behavior based on their presence, either altering its activity or ceasing execution if it detects monitoring.

7. **Long-Term Threat**: The consistent use of the Winos4.0 framework indicates its established role in malicious operations, underscoring its potency and continued relevance.

8. **Indicators of Compromise (IoCs)**: Detailed IoCs have been shared in Fortinet and Trend Micro reports, aiding in the detection and mitigation of this specific threat.

9. **Related Malware**: Mentions of other malicious entities like “SteelFox” and “Pygmy Goat” highlight ongoing vulnerabilities and threats faced by Windows users.

10. **Action Items**: Review the reports from Fortinet and Trend Micro for IoCs and recommended protective measures to mitigate the risks associated with Winos4.0 and related threats.

Full Article