Skip to content

Void Arachne targets Chinese speakers with malicious MSI files

  • by
  • 5 min read

A new threat actor group, Void Arachne, has emerged with a sophisticated campaign targeting Chinese-speaking users. The group utilised malicious MSI files to distribute harmful payloads, masquerading as legitimate software installers for popular applications, including AI tools and VPNs.

Void Arachne’s strategy involves bundling legitimate software with malicious Winos payloads. These payloads are hidden within installers for AI software, voice-and-face-swapping tools, and applications that generate non-consensual deepfake adult content.

Winos 4.0 a sophisticated malware written in C++ designed for the Windows platform. This implant boasts many functionalities, including file management, DDoS capabilities, webcam control, screen capturing, process injection, and keylogging. It also supports remote shell access and system management, providing attackers comprehensive control over the infected systems.

The Winos 4.0 implant has a modular architecture consisting of 23 internal plugins, each capable of performing specific tasks. Attackers can customize and extend these plugins, similar to the Cobalt Strike and Sliver frameworks, to enhance the malware’s adaptability and effectiveness.

“During this campaign, numerous malicious installer files were shared across several Telegram channels. We also saw attacker-controlled web servers distributing malicious files through search engine optimization (SEO) poisoning attacks. These MSI files act as backdoored installers, serving both the non-malicious software and the Winos 4.0 command-and-control (C&C) framework implant, which could lead to a full system compromise,” said researchers.

Additionally, the installers contain Simplified Chinese language packs, versions of Google Chrome, and VPNs such as LetsVPN and QuickVPN. Once installed, these MSI files also deploy a Winos backdoor, potentially compromising the entire system.

The attack chain explained. | Source: Trend Micro

Void Arachne leverages multiple distribution channels to spread their malicious installers. These channels include SEO poisoning and the use of attacker-controlled web servers to disseminate the infected files. The campaign also extends to several Telegram channels where malicious installer files are shared among large groups of Chinese-speaking users.

Void Arachne employs SEO poisoning techniques to increase the reach of their malicious software. They create spear-phishing links disguised as legitimate software installers hosted on the web servers designed to appear authentic. These links are engineered to rank highly on search engines, leading unsuspecting users to download the compromised MSI file.

One of the unique vectors observed in this campaign by researchers is the use of infected language packs for Telegram. given the vast number of native Chinese speakers requiring localised software, this approach requiring localised software, this approach impacts a significant user base. The language pack appears legitimate but contains malware that compromises the victim’s system upon installation.

Cybersecurity researchers uncovered the intricate workings of the letvpn.msi malicious installer. This malware leverages Dynamic Link Libraries (DLL) to execute various nefarious activities during installation, from managing MSI package properties to configuring firewall rules.

Inbound firewall rules configuration. | Source: Trend Micro

The letvpn.msi files initiate by creating scheduled tasks and configuring firewall parameters, specifically and configuring firewall parameters, specifically utilising functions from the NetFirewall.dll. These functions, OnFwConfig and OnFwInstall, are responsible for whitelisting inbound and outbound traffic associated with the malware for public network profiles, ensuring its uninterrupted operation.

One notable tactic employed by this malware is creating inbound firewall rules that allow unrestricted access to the infected system when connected to public networks. This configuration is vital for the malware’s persistence and communication capabilities.

The letvpn.msi installer also drops multiple hidden files, including a loader named LetsPro.exe, into the directory path C:\Program Files (x86)\Common Files\Microsoft Shared. This trojan loader decrypts and executes a second-stage payload in memory, following a specific procedure to handle encrypted data.

The loader employs the Rivest Cipher 4 (RC4) algorithm with a predefined key to decrypt the data, transforming it into executable code mapped into the system’s memory space.

Upon executing the second-stage loader, the malware further entrenches itself by deploying a Visual Basic Script (VBScript). This script automates the creation of a scheduled task to maintain persistence. Additionally, the malware establishes a Windows service to ensure the VBScript’s execution at startup.

The malware also configures port forwarding and firewall rules via the netsh command, whitelisting its traffic for all network profiles. It sets up port 443 on the local machine to forward incoming connections to a specified destination server, facilitating seamless communication with its command and control (C&C) infrastructure.

Winos 4.0 operating panel. | Source: Trend Micro

The second-stage loader deploys the Winos stager payload, which is responsible for downloading and executing the main implant. This stage uses a unique encryption key, generated using the timeGetTime() Windows API function, to secure its communications with the C&C server. The stager initialises its configuration and establishes an encrypted communication channel with the C&C server, facilitating the transfer of subsequent payloads and commands.

Researchers have urged users to follow general best practices, such as ensuring that their devices are up-to-date, downloading from official sources, and reporting any incident of attack to the Internet Crime Complaint Center (IC3).

In the News: Diamorphine Linux kernel rootkit with enhanced stealth detected

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>