Winos 4.0 Malware Infects Gamers Through Malicious Game Optimization Apps

Avatar
Cybersecurity researchers are warning that a command-and-control (C&C) framework called Winos is being distributed within gaming-related applications like installation tools, speed boosters, and optimization utilities. “Winos 4.0 is an advanced malicious framework that offers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute

Cybersecurity researchers are warning that a command-and-control (C&C) framework called Winos is being distributed within gaming-related applications like installation tools, speed boosters, and optimization utilities.

“Winos 4.0 is an advanced malicious framework that offers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute further actions,” Fortinet FortiGuard Labs said in a report shared with The Hacker News. “Rebuilt from Gh0st RAT, it includes several modular components, each handling distinct functions.”

Campaigns distributing Winos 4.0 were documented back in June by Trend Micro and the KnownSec 404 Team. The cybersecurity companies are tracking the activity cluster under the names Void Arachne and Silver Fox.

These attacks have been observed targeting Chinese-speaking users, leveraging black hat Search Engine Optimization (SEO) tactics, social media, and messaging platforms like Telegram to distribute the malware.

Fortinet’s latest analysis shows that users who end up running the malicious game-related applications trigger a multi-stage infection process that begins with retrieving a fake BMP file from a remote server (“ad59t82g[.]com”) that’s then decoded into a dynamic-link library (DLL).

The DLL file takes care setting up the execution environment by downloading three files from the same server: t3d.tmp, t4d.tmp, and t5d.tmp, the first two of which are subsequently unpacked to obtain the next set of payloads comprising an executable (“u72kOdQ.exe”) and three DLL files, including “libcef.dll.”

“The DLL is named ‘学籍系统,’ meaning ‘Student Registration System,’ suggesting that the threat actor may be targeting educational organizations,” Fortinet said.

In the next step, the binary is employed to load “libcef.dll,” which then extracts and executes the second-stage shellcode from t5d.tmp. The malware proceeds to establish contact with its command-and-control (C2) server (“202.79.173[.]4”) using the TCP protocol and retrieve another DLL (“上线模块.dll”).

The third-stage DLL, part of Winos 4.0, downloads encoded data from the C2 server, a fresh DLL module (“登录模块.dll”) that’s responsible for harvesting system information, copying clipboard content, gathering data from cryptocurrency wallet extensions like OKX Wallet and MetaMask, and facilitating backdoor functionality by awaiting further commands from the server.

Winos 4.0 also enables the delivery of additional plugins from the C2 server that allow it to capture screenshots and upload sensitive documents from the compromised system.

“Winos 4.0 is a powerful framework, similar to Cobalt Strike and Sliver, that can support multiple functions and easily control compromised systems,” Fortinet said. “Threat campaigns leverage game-related applications to lure a victim to download and execute the malware without caution and successfully deploy deep control of the system.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

South Korea Fines Meta $15.67M for Illegally Sharing Sensitive User Data with Advertisers

Next Post

VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

Related Posts

NHIs Are the Future of Cybersecurity: Meet NHIDR

The frequency and sophistication of modern cyberattacks are surging, making it increasingly challenging for organizations to protect sensitive data and critical infrastructure. When attackers compromise a non-human identity (NHI), they can swiftly exploit it to move laterally across systems, identifying vulnerabilities and compromising additional NHIs in minutes. While organizations often take
Avatar
Read More