New Malware Winos4.0 Targets Windows Users in Gaming, Education
/ 4 min read
Quick take - A new malware called Winos4.0, targeting Microsoft Windows users particularly in gaming and educational applications, has been identified as a medium-level threat with advanced capabilities, including a modular architecture and persistent backdoor functionalities, prompting security experts to advise users to download applications only from trusted sources.
Fast Facts
- Winos4.0 is a medium-level malware threat targeting Microsoft Windows users, particularly in gaming and educational applications, derived from the previous Gh0strat malware.
- The malware employs a modular architecture, allowing it to perform various malicious functions, including establishing persistence and communicating with a command and control (C2) server.
- It is distributed through seemingly benign game-related applications, which, when executed, download and execute additional malicious files, including a main payload linked to educational systems.
- Winos4.0 can capture system information, manage documents, and take screenshots, showcasing its extensive capabilities.
- FortiGuard Antivirus can detect and block Winos4.0, and users are advised to download applications only from trusted sources to reduce the risk of infection.
New Wave of Malware: Winos4.0 Targets Windows Users
A new wave of malware, identified as Winos4.0, has been targeting Microsoft Windows users, particularly impacting platforms associated with gaming and educational applications. Winos4.0 is classified as a medium-level threat and is an advanced malicious framework derived from a previous malware known as Gh0strat. The framework features a modular architecture that enables a variety of functionalities.
Attack Campaigns and Discovery
Winos4.0 has been employed in several attack campaigns, including one dubbed “Silver Fox.” FortiGuard Labs has reported the discovery of multiple samples of Winos4.0, which are concealed within gaming-related applications. These applications include installation tools, speed boosters, and optimization utilities.
Analysis of a decoded dynamic link library (DLL) file indicates potential targeting of the education sector. The file description “校园政务” (Campus Administration) suggests infiltration of educational institutions. The attack vector begins with the distribution of seemingly benign game-related applications. When a victim executes the malicious application, it retrieves a decoy BMP file from a remote server, which is subsequently XOR decoded to extract a DLL file named “you.dll.”
Execution and Persistence
The DLL is responsible for setting up the execution environment and downloading additional malicious files from the same server. Upon execution, the malware creates a randomly named folder in “C:\Program Files (x86)” and saves several files with temporary names. Notably, it extracts a file named “t3d.tmp,” which upon decryption reveals three legitimate files: u72kOdQ.exe, MSVCP140.dll, and VCRUNTIME140.dll. The main malicious payload, “libcef.dll,” is derived from another file, “t4d.tmp,” and is linked to the name “学籍系统” (Student Registration System).
Winos4.0 establishes persistence on the compromised machine by adding its executable to the Windows registry. The malware checks for a specific window class name; if the specified window is not detected, it executes the downloaded application. If the window is found, a scheduled task is created to execute the application at predetermined intervals, running with the highest privileges to ensure continuous operation.
Capabilities and Mitigation
As the malware progresses through its stages, it decodes additional files and injects shellcode to perform various actions within the infected environment. This shellcode dynamically loads application programming interfaces (APIs) and retrieves configuration data from a designated marker string. The malware connects to a command and control (C2) server, sending check-in messages to facilitate ongoing communication.
Within the third stage of the attack, Winos4.0 checks registry values and retrieves further encoded data from the C2 server, which is also recorded for future reference. The final stage is characterized by a module that collects system information, performs environment checks, and maintains core backdoor functionalities. This module can identify specific applications and detect crypto wallet extensions, transmitting encoded environment information back to the C2 server while remaining ready for further commands.
During the campaign, two plugins were retrieved from the C2 server, designed for capturing screenshots and managing documents, highlighting the malware’s extensive capabilities. FortiGuard Antivirus has been able to detect and block the malware, supported by FortiGate, FortiMail, FortiClient, and FortiEDR. The FortiGuard Web Filtering Service actively blocks known C2 servers and download URLs associated with Winos4.0.
Users are strongly advised to download applications only from trusted sources to mitigate the risk of falling victim to such threats. The article includes a comprehensive list of indicators of compromise (IoCs), including URLs, IP addresses, and SHA256 hashes of files linked to the malware, providing crucial information for security professionals and users alike to aid in identifying and mitigating this threat.
Original Source: Read the Full Article Here
