Winos4.0 hides in gaming apps to hijack Windows systems

Criminals are using game-related applications to infect Windows systems with a malicious software framework called Winos4.0 that gives the attackers full control over compromised machines.

The malware, which appears to be rebuilt from Gh0strat, has several components, each handling distinct functions, according to Fortinet.

The security shop spotted “multiple” samples hidden in the game installation tools, speed boosters, and optimization utilities. Fortinet says it’s similar to Cobalt Strike and Sliver – both legit red-teaming tools that are also favorites of criminals who use cracked versions for deploying ransomware and other malware, along with lateral movement, cyber espionage and other evil deeds.

Winos4.0 has been used in multiple attack campaigns including Silver Fox, a suspected Chinese-government-linked crew, we’re told.

“The entire attack chain involves multiple encrypted data and lots of C2 communication to complete the injection,” Fortinet warned. “Users should be aware of any new application’s source and only download the software from qualified sources.”

The attack begins with a gaming-related lure. Once the victim runs the application, it downloads a fake BMP file from “ad59t82g[.]com” that begins the infection process. 

The first stage is a DLL file that sets up the execution environment, injects shellcode, and establishes persistence. The DLL is named “学籍系统,” which means “student registration system,” indicating the attacker may be targeting education-sector orgs.

In the second stage, the shellcode loads APIs, retrieves the command-and-control (C2) address, and establishes communication with the attacker-controlled server.

Next, a DLL file called “上线模块” downloads encoded data from the C2 server and saves it in the registry “HKEY_CURRENT_USER \\Console\\0\\ d33f351a4aeea5e608853d1a56661059.”

Finally, in the fourth stage, the DLL file “登录模块” contains the primary payload that performs all the malicious activities on the infected machine.

It collects information about the infected host, including the IP address, computer name, operating system, CPU, disk, network card, directory name, and time. 

This module also checks to see if system monitoring-related software is running on the machine and if an anti-virus appliance is present. 

It looks for a crypto wallet extension and stores this information, while also taking screenshots, stealing documents, and monitoring user activities. 

Additionally, the final stage module establishes a persistent backdoor to the C2 server, enabling the attacker to maintain a long-term presence on the victim’s machine. ®