Winos4.0 is an advanced malware framework that disguises itself as gaming-related software, such as installation tools and speed boosters, to target the education sector. It was developed from the notorious Gh0strat malware and utilised a modular design and advanced persistence mechanisms to infiltrate systems, evade detection, and establish deep-rooted control over infected machines.
The malware has already been deployed in some notable campaigns, including one called Silver Fox, placing students, educators, and administrators directly in its crosshairs.
The infection process starts innocuously, with users downloading seemingly legitimate gaming applications. Once launched, these apps pull a disguised file, lon2.bmp, from a remote server, which is decoded to reveal a DLL file named ‘you.dll.’
This file initiates the first stage of the attack by downloading the additional files from the attacker’s server, each encrypted and stored in a randomly named folder within the Program Files directory. The files are decrypted, giving the malware access to critical components such as the main malicious file ‘libcef.dll,’ which injects shellcode into the system.
Winos4.0 also incorporates advanced persistence mechanisms, such as malware checks for a specific system process. If absent, it places a registry entry to ensure the malicious executable u72kOdQ.exe auto-starts with Windows. In cases where the targeted process is detected, Winos4.0 uses a scheduled task to maintain persistence, executing commands at intervals with high privileges, making it exceptionally difficult to remove.
After establishing persistence, Winos4.0 opens a connection to a remote command and control (C2) server. The malware retrieves a module identified as 上线模块.dll, which initiates further malicious actions. This module validates connections to the C2, continuously updating its address to evade detection. Furthermore, it checks for security monitoring tools or antivirus software that are disabling or avoiding them if detected.
The final stages of the attack involve data exfiltration and surveillance. This includes logging clipboard content, capturing screenshots, and monitoring for sensitive Chrome extensions like OKX Wallet and MetaMask, indicating the malware’s interest in crypto-related data.
Through encoded messages, it continually reports to the C2 server, allowing attackers to issue commands and download additional plugins for screen capturing or document management.
Notably, analysis of the malware’s files reveals a probable focus on the education sector. Researchers note that Winos4.0’s DLL files carry descriptors like Campus Administration and Student Registration System, suggesting that educational organisations may be a primary target.
The attackers likely aim to access sensitive student and administrative data, underscoring the importance of cybersecurity in educational institutions.
“Winos4.0 is a powerful framework, similar to Cobalt Strike and Sliver, that can support multiple functions and easily control compromised systems. Threat campaigns leverage Game-related applications to lure a victim to download and execute the malware without caution and successfully deploy deep control of the system,” researchers concluded. “Users should be aware of any new application’s source and only download the software from qualified sources.”
In the News: GodFather malware targets 500 banking, crypto apps in 9 countries