Cybersecurity experts have recently discovered a new strain of malware, Winos4.0, that is being actively used in cyberattack campaigns. This advanced malicious framework, which has evolved from the infamous Gh0strat malware, is equipped with modular components that enable a range of malicious activities on compromised devices. The attacks using Winos4.0 have primarily been identified in gaming-related applications such as installation tools and optimization utilities, which serve as delivery mechanisms for the malware.
Winos4.0 provides threat actors with comprehensive functionality, stability, and control over targeted systems, allowing them to carry out complex commands remotely. FortiGuard Labs, the team that discovered this malware strain, reported observing it deployed in campaigns like “Silver Fox,” indicating its capability to infiltrate and exploit systems widely.
The malware campaign using Winos4.0 leverages gaming-related software to reach unsuspecting users. Once a victim runs the infected application, the malware retrieves a disguised BMP file from a remote server, initiating a sequence of decodings and executions that load malicious components onto the device.
The attack chain of Winos4.0 consists of several stages aimed at achieving deep system infiltration and conducting malicious activities. In the initial access and DLL execution stage, the malicious application downloads and decodes files, ultimately executing the primary malicious file, “libcef.dll,” which injects shellcode into the system. This step hints at potential targeting of the educational sector, as evidenced by file names like “Student Registration System.”
Following the initial access stage, Winos4.0 moves on to configuration and C2 communication, where it establishes communication with a command-and-control server to receive instructions and download modules for the attack. The malware also establishes persistence by creating scheduled tasks and updating registry entries with encoded data to maintain access to control functions on the compromised device.
In the final stage, Winos4.0 focuses on information collection and monitoring, employing capabilities for data gathering such as clipboard monitoring and system scans. The malware identifies anti-virus applications, monitors system details, and checks for crypto wallet extensions before initiating data collection and uploading sensitive information to the C2 server.
Given the sophisticated nature of the Winos4.0 framework, users are advised to take precautions to protect their systems against this malware strain. Recommendations include downloading only from verified sources, using reputable antivirus software with real-time protection, and monitoring system activities for any unexpected changes or suspicious behaviors.
Winos4.0’s utilization of gaming-related applications as a disguise underscores the importance of vigilance in downloading new applications and highlights the need for robust endpoint security solutions. By staying informed about the evolving threats posed by malware strains like Winos4.0, users can better safeguard their systems and data from unauthorized access and potential theft.