Cybersecurity experts have identified a new threat targeting Windows gamers: the malicious Winos4.0 framework, which disguises itself as game installation and optimization tools. First discovered by Fortinet’s FortiGuard Labs, Winos4.0 has rapidly evolved into a sophisticated malware platform with extensive control capabilities over infected systems. Below, we explore how Winos4.0 works, its impact on users, and the sectors at risk.
What is Winos4.0 and how does it work?
Winos4.0 is a malware framework that embeds itself within seemingly benign applications related to gaming, such as speed boosters and installation tools. This malware uses multiple stages to penetrate, establish persistence, and allow attackers to remotely control compromised systems. According to Fortinet, the first stage of the infection begins when a user unknowingly downloads a tainted gaming application. Once installed, Winos4.0 initiates a multi-step infection process:
- Download and execute malicious files: The malicious application retrieves a disguised .bmp file from an external server. The file extracts a dynamic link library (DLL) file that enables the malware to integrate into the system.
- Registry modifications: The malware uses the DLL file to set up a persistent environment by creating registry keys. This ensures that Winos4.0 remains active even after the system restarts.
- Shellcode injection and API loading: In the following steps, the malware injects shellcode to load application programming interfaces (APIs), retrieve configuration data, and establish a command-and-control (C2) connection.
- Advanced C2 communication: Winos4.0 frequently communicates with C2 servers, allowing remote operators to send commands and download additional modules for further exploitation.
Fortinet emphasizes that “Winos4.0 is a powerful framework… that can support multiple functions and easily control compromised systems,” urging users to avoid downloading unverified software.
Winos4.0’s malicious capabilities
Once fully embedded in a user’s system, Winos4.0 can perform a variety of harmful actions that endanger user privacy and data security. Key functions of Winos4.0 include:
- System monitoring: The malware collects system information such as IP addresses, operating system details, and CPU specifications.
- Screen and clipboard capture: Winos4.0 can take screenshots and monitor the clipboard, potentially capturing sensitive information, including passwords and cryptocurrency wallet addresses.
- Surveillance and data exfiltration: The malware uses its connection to C2 servers to exfiltrate data from the infected system, enabling attackers to gather documents, intercept screen activity, and monitor clipboard content.
- Anti-detection mechanisms: Winos4.0 checks for the presence of antivirus software from vendors like Kaspersky, Bitdefender, and Malwarebytes. If it detects such software, it adjusts its behavior to avoid detection or halts execution altogether.
Beware of Octo2 malware targeting European banks, disguised as popular apps
Fortinet’s research also points out that Winos4.0 specifically looks for crypto-wallet activity on infected systems, highlighting the financial motivations behind the malware’s design.
Winos4.0 may also be used to infiltrate educational institutions. FortiGuard Labs noted references in the malware’s code that suggest potential targeting of systems in the education sector. For instance, a file labeled “Campus Administration” was found within Winos4.0’s structure, pointing to a possible effort to access administrative systems in schools and universities.
A history of targeting specific regions
According to reports from cybersecurity companies Trend Micro and Fortinet, Winos4.0 is primarily distributed in regions where users may be more likely to download modified software versions, such as China. Campaigns like Silver Fox and Void Arachne have used Winos4.0 to exploit Chinese-speaking users, leveraging social media, search engine optimization tactics, and messaging apps like Telegram to distribute the malware.
These campaigns reflect an increasing trend where hackers adapt malware distribution strategies based on geographic and cultural factors, luring victims with software versions tailored for specific regions.
Experts note that Winos4.0 shares similarities with other well-known malware frameworks, such as Cobalt Strike and Sliver. Like these frameworks, Winos4.0 allows attackers to control systems remotely and deploy various functions that facilitate data theft, monitoring, and exploitation.
The modular nature of Winos4.0 means it can be easily updated and modified, making it a versatile tool for cybercriminals. Its resemblance to Cobalt Strike and Sliver implies that Winos4.0 could potentially serve as a long-term platform for sustained cyber attacks across different user groups.
Indicators of Compromise (IoCs)
Fortinet has published a list of Indicators of Compromise (IoCs) associated with Winos4.0, which include specific files and registry keys. Users can reference these IoCs to check for signs of infection. Notable indicators include:
- DLL files like you.dll and modules with Chinese filenames such as “上线模块.dll” (login module).
- Registry modifications in paths like “HKEY_CURRENT_USER\\Console\\0” where encrypted data is stored and C2 addresses are updated.
These IoCs are vital for organizations and individuals to detect and respond to Winos4.0 infections proactively.
Current protections and recommendations
As of now, Fortinet’s antivirus solutions have integrated protection mechanisms to detect and block Winos4.0. While the company has yet to release a detailed removal guide, Fortinet encourages users to monitor downloaded software closely.
Experts recommend the following precautions to minimize the risk of infection:
- Only download trusted software: Fortinet advises users to download applications exclusively from reputable sources and to be cautious with gaming optimization tools that may appear on unofficial websites.
- Regularly update security software: Updating antivirus software can help in detecting emerging malware threats, including Winos4.0.
- Monitor network traffic: Unusual network activity or connections to unknown servers may indicate the presence of malware like Winos4.0.
Featured image credit: Kerem Gülen/Midjourney
