Researchers are warning of an advanced malicious framework called Winos4.0 that’s getting distributed in the installation tools, speed boosters, and optimization utilities for gaming applications.
The framework is rebuilt from Gh0strat with several modular components, each of them handling different functions; the framework has been deployed in several attack campaigns such as Silver Fox and Void Arachne.
“Winos4.0 is an advanced malicious framework that offers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute further actions,” Fortinet FortiGuard Labs researchers stated.
The campaigns using this framework have been previously documented by Trend Micro and the KnownSec 404 Team and have been observed targeting Chinese-speaking users, leveraging SEO tactics, social media, and messaging platforms like Telegram to distribute the malware.
Once the victim runs the application, it retrieves a fake BMP file from the server ad59t82g[.]com. The file then extracts the DLL, which is responsible for setting up the execution environment, according to the researchers.
The attack chain involves multiple encrypted data and C2 communication to complete the injection of the malware.
“Threat campaigns leverage game-related applications to lure a victim to download and execute the malware without caution and successfully deploy deep control of the system,” the Fortinet researchers added. Users should be wary of any new applications’ source and only download software from reputable sources.
Don’t miss the latest Dark Reading Confidential podcast, where we talk about NIST’s post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!