November 7, 2024 at 09:34PM
Criminals are exploiting game-related apps to deploy Winos4.0 malware, granting full control over infected Windows systems. This sophisticated framework, reminiscent of Gh0strat, targets education sectors. The attack includes multiple encrypted communications, collecting sensitive information, and establishing a persistent backdoor for ongoing control and monitoring of victims’ activities.
### Meeting Takeaways
1. **Malware Overview**:
– Criminals are leveraging game-related applications to install a malware framework called **Winos4.0** that enables full control over infected Windows systems.
– This malware appears to be a reconstruction of **Gh0strat** and contains various components responsible for different malicious functions.
2. **Detection and Similarities**:
– Fortinet has identified multiple samples of Winos4.0 hidden within game installation tools, speed boosters, and optimization utilities.
– The malware shares characteristics with legitimate red-teaming tools like **Cobalt Strike** and **Sliver**, often misused by criminals for deploying ransomware and conducting cyber espionage.
3. **Attack Campaigns**:
– Winos4.0 has been linked to several attack campaigns, including one associated with a suspected Chinese government-linked group named **Silver Fox**.
4. **Attack Process**:
– **Initial Vector**: The attack starts with a gaming-related lure. Upon downloading and running the application, it fetches a fake BMP file from **ad59t82g[.]com**, initiating the infection.
– **Stage 1**: A DLL file named **”学籍系统”** (meaning “student registration system”) sets up the environment and establishes persistence.
– **Stage 2**: The shellcode loads APIs, finds the command-and-control (C2) address, and starts communicating with the attacker-controlled server.
– **Stage 3**: Another DLL, **”上线模块”**, retrieves encoded data from the C2 server and saves it to a specific registry key.
– **Stage 4**: The final module, **”登录模块”**, carries out major malicious tasks, including data collection, system monitoring, and establishing a persistent backdoor for ongoing access.
5. **Data Collected**:
– The malware gathers comprehensive information about the infected system, such as IP address, operating system details, hardware specifications, and checks for any security measures in place.
6. **User Precautions**:
– Users are strongly advised to be cautious when downloading applications, ensuring they only source software from trusted and verified origins to avoid infection.