Introduction

The Winos 4.0 malware framework, a sophisticated command-and-control (C&C) system [1], has been discovered targeting Chinese-speaking Microsoft Windows gamers through various gaming-related applications. This advanced malware [3], derived from the Gh0st RAT architecture [1], is used in attack campaigns like Silver Fox and employs a multi-stage strategy with modular components, allowing attackers extensive control over compromised systems [1] [4] [7].

Description

A sophisticated command-and-control (C&C) malware framework known as “Winos 4.0” has been identified within various gaming-related applications, including installation tools [1] [2] [3] [4] [7], speed boosters [1] [2] [3] [4] [6], and optimization utilities [1] [2] [3] [4] [6], specifically targeting Chinese-speaking Microsoft Windows gamers. This advanced malware [3], rebuilt from the notorious Gh0st RAT architecture [1], has been utilized in attack campaigns such as Silver Fox and employs a multi-stage attack strategy with modular components that perform different functions, allowing attackers to gain extensive control over compromised systems [4] [7], similar to other frameworks like Cobalt Strike and Sliver [1] [3] [4].

Winos 4.0 spreads through the distribution of these game-related applications [7], often leveraging black hat Search Engine Optimization (SEO) tactics and social media platforms such as Telegram to reach potential victims. Upon execution [2] [4] [6], the malware retrieves a seemingly harmless bitmap image file from a specified remote server, identified as ad59t82g.com, which is then XOR decoded to extract a dynamic-link library (DLL) for execution. This DLL [1] [3] [4], which may include names like “you.dll” or “学籍系统” (meaning ‘Student Registration System’ or ‘Campus Administration’), sets up the execution environment by downloading additional payloads and creating a folder in “C:\Program Files (x86).”

The initial stage of Winos 4.0 establishes a foundation for deploying further modules and ensures persistence on the infected device by adding an executable to the Windows registry and potentially creating scheduled tasks. Subsequent stages involve establishing contact with the command-and-control (C2) server, allowing the malware to download additional DLLs responsible for gathering system information, clipboard content [1], and sensitive data from cryptocurrency wallet extensions such as OKX Wallet and MetaMask [1]. It can also assess the presence of Chrome anti-virus extensions [6], capture screenshots [1] [3] [6], and manage documents [3] [6], enabling attackers to upload sensitive information and monitor user activities [6].

Operating with multiple layers of encryption and C2 communication, Winos 4.0 effectively executes its payload while maintaining stealth. Security researchers emphasize the importance of exercising caution regarding the sources of new applications, advising users to download software only from trusted and reputable providers and to utilize virus scanning tools to mitigate the risk of infection. The primary focus of Winos 4.0 attacks is the education sector [5], highlighting the need for vigilance among users against potential threats.

Conclusion

The emergence of Winos 4.0 underscores the evolving threat landscape faced by users, particularly within the gaming and education sectors. To mitigate the risks associated with such sophisticated malware, it is crucial for users to remain vigilant, ensuring that software is sourced from reputable providers and employing robust security measures, including virus scanning tools [5]. As cyber threats continue to advance, ongoing awareness and proactive defense strategies will be essential in safeguarding against future attacks.

References

[1] https://thehackernews.com/2024/11/new-winos-40-malware-infects-gamers.html
[2] https://www.darkreading.com/threat-intelligence/chinese-gamers-targeted-winos40-framework-scam
[3] https://www.hendryadrian.com/threat-campaign-distributes-winos4-0-via-gaming-app/
[4] https://www.fortinet.com/blog/threat-research/threat-campaign-spreads-winos4-through-game-application
[5] https://thenimblenerd.com/article/beware-winos4-0-malware-masquerades-as-gaming-apps-to-hack-your-pc/
[6] https://www.forbes.com/sites/daveywinder/2024/11/06/windows-gamers-in-danger-as-new-winos40-hackers-pull-the-trigger/
[7] https://www.infosecurity-magazine.com/news/winos40-malware-found-game-windows/