New Malware Campaign Targets Windows Users Through Gaming Apps

A new malware strain, Winos4.0, is actively used in cyberattack campaigns. Discovered by FortiGuard Labs, this advanced malicious framework, which evolved from the infamous Gh0strat, is equipped with modular components enabling a range of malicious activities on compromised devices. These attacks have been identified in gaming-related applications like installation tools and optimization utilities, which serve as delivery mechanisms for the malware.

Winos4.0 provides threat actors with comprehensive functionality, stability, and control over targeted systems, allowing them to carry out complex commands remotely. FortiGuard Labs reported seeing this framework deployed in campaigns such as “Silver Fox,” indicating its capability to infiltrate and exploit systems widely.

The malware campaign leverages gaming-related software, which includes optimization and installation tools, to reach unsuspecting users. Once a victim runs the infected application, the malware retrieves a disguised BMP file from a remote server, initiating a sequence of decodings and executions that load malicious components.

The Attack Chain

Stage One: Initial Access and DLL Execution: After installation, the malicious application downloads and decodes several files. These files are stored in a randomly named directory in the Program Files directory and decoded with specific passwords and XOR keys. These steps culminate in the extraction and execution of the primary malicious file, “libcef.dll,” which is used to inject shellcode into the system. Notably, file names like “Student Registration System” suggest potential targeting of the educational sector.

Stage Two: Configuration and C2 Communication: Winos4.0 establishes communication with a command-and-control (C2) server, receiving instructions and downloading modules to continue its attack. The malware sends “x32” to the C2 server as a check-in mechanism, receiving encrypted data that includes additional attack modules.

Stage Three: Persistence and C2 Server Updates: The malware establishes persistence by creating scheduled tasks and updating registry entries with encoded data. It also monitors and stores the primary C2 server address in the registry, ensuring continued access to control functions on the compromised device.

Final Stage: Information Collection and Monitoring: Winos4.0 includes extensive capabilities for data gathering, including clipboard monitoring and system scans. The malware identifies anti-virus applications and monitoring tools, collects system details, and checks for crypto wallet extensions. Upon finding specific software or files, it initiates data collection and uploads sensitive information to the C2 server.

Recommendations for Protection

The Winos4.0 framework bears similarities to known attack tools like Cobalt Strike and Sliver, spotlighting its potential as a useful instrument for unauthorized system control and data theft. By using gaming-related applications to disguise its deployment, Winos4.0 can silently infiltrate systems and gain persistent control, which, researchers said, is a particular risk to users in the education sector.

To protect against Winos4.0, users are urged to follow these best practices:

• Download only from verified sources: Avoid downloading applications from unofficial or untrusted platforms.
• Use reputable antivirus software: Enable real-time protection and regularly update antivirus tools to detect malicious frameworks.
• Monitor system activities: Keep track of unexpected changes or suspicious activities on the system, such as new scheduled tasks or unfamiliar files in the registry.

Winos4.0 is a sophisticated framework designed for deep system infiltration. Its use of multiple layers of encryption and C2 communication illustrates the importance of vigilance in downloading new applications and reinforces the need for robust endpoint security solutions.