Cybersecurity researchers at Fortinet’s FortiGuard Labs have discovered a new malware campaign that targets Microsoft Windows users. The malware, called Winos4.0, is hidden within gaming-related applications such as installation tools, speed boosters, and optimization utilities. When users download and run these apps, they act as Trojan horses and install the Winos4.0 framework on the system.
The researchers found several samples of this malware and analyzed a decoded DLL file. They learned that the malware may be targeting the education sector based on the file description “校园政务” which means “Campus Administration” in Chinese. Winos4.0 is an advanced malware framework that offers a wide range of functions, a stable architecture, and efficient control over many online endpoints.
It is rebuilt from Gh0stRat, a powerful remote access Trojan created by the Chinese hacking group C. Rufus Security Team in 2008. The framework has several modular components, each handling different functions.
The Winos4.0 framework has already been used in multiple attack campaigns such as Silver Fox.
Winos4.0 targets Windows gamers
The multi-stage attack begins by retrieving a fake BMP file from a remote server, which is then decoded to extract a DLL file named “you.dll.” This file is loaded to proceed to the next stage.
“You.dll” downloads three files from a remote path, creates a folder with a random name, and extracts the files. One file reveals clean files while another reveals the main malicious file, “libcef.dll.” The extracted files then load “libcef.dll” to inject shellcode and decode another file using an XOR key. The injected shellcode loads APIs, retrieves configuration data, and establishes a connection to the C2 server using TCP protocol.
The C2 server responds with encrypted data, which is decrypted using XOR, and a module is executed. The module downloads data from the C2 server, records its address in the registry, and sets the stage for the final phase of the attack. The last stage launches a file that performs various tasks such as enabling crash restart, recording clipboard content, checking for specific applications, collecting system information, checking for crypto wallet extensions and anti-virus appliances, sending login messages, and maintaining a connection to the C2 server.
The capabilities of Winos4.0 show that it is a powerful framework that can easily control compromised systems. Researchers recommend that users should only download software from qualified sources and avoid third-party app stores and websites. They also suggest regularly scanning devices with antivirus software, especially after downloading new files.
In office environments, systems should be blocked from downloading apps on workstations to prevent unintentional malware installations.
