Cybersecurity researchers warn that a command and control (C&C) system called Vinos distributed in game-related applications such as installers, speed boosters, and optimization utilities.
“Winos 4.0 is an advanced malware framework that offers comprehensive functionality, a stable architecture, and effective control over multiple online endpoints for further action.” – Fortinet FortiGuard Labs said in a report shared with The Hacker News. “Rebuilt from v Gh0st RATit includes several modular components, each of which performs a different function.’
Winos 4.0 distribution campaigns were documented in June by Trend Micro and the KnownSec 404 team. Cybersecurity companies are tracking a cluster of activity called Void Arachne and Silver Fox.
Attacks on Chinese-speaking users have been observed using search engine optimization (SEO) tactics, social media and messaging platforms such as Telegram to spread malware.
Fortinet’s latest analysis shows that users who end up running game-related malware run a multi-step infection process that begins by receiving a fake BMP file from a remote server (“ad59t82g(.)com”), which is then decoded into a dynamic -link library (DLL).
The DLL takes care of setting up the runtime environment by downloading three files from the same server: t3d.tmp, t4d.tmp, and t5d.tmp, the first two of which are then unpacked to produce the next set of payloads that comprise the executable. (“u72kOdQ.exe”) and three DLL files, including “libcef.dll.”
“The DLL is called ‘学籍电视’, which stands for ‘Student Registration System,’ which suggests that the threat actor may be targeting educational organizations,” Fortinet said.
In the next step, the binary is used to load “libcef.dll”, which then extracts and executes the second step shellcode from t5d.tmp. The malware establishes contact with its command-and-control (C2) server (“202.79.173(.)4” using the TCP protocol) and obtains another DLL (“上线设计.dll”).
A third-tier DLL, part of Winos 4.0, downloads encoded data from the C2 server, a fresh DLL module (“பிர்கும் மாட்டு.dll”) responsible for collecting system information, copying clipboard contents, collecting data from cryptocurrency wallet extensions such as OKX Wallet and MetaMask, as well as facilitating backdoor functionality by waiting for further commands from the server.
Winos 4.0 also allows the delivery of additional plugins from the C2 server that allow you to take screenshots and download sensitive documents from a compromised system.
“Winos4.0 is a powerful framework similar to Cobalt Strike and Sliver that can support multiple functions and easily monitor compromised systems,” Fortinet said. “Threat companies use game-related applications to lure victims into downloading and running malicious software without caution and successfully deploy deep system checks.”
