A new malicious software framework, “Winos4.0,” has been discovered embedded in game-related applications targeting Windows users.
According to researchers at FortiGuard Labs, this malware framework is a sophisticated variant derived from Gh0strat. Winos4.0 can execute multiple actions remotely and provides attackers with extensive control over affected systems.
The malware operates by distributing game-related applications, such as installation tools and performance boosters, to gain initial access to target devices.
Once a user installs one of these applications, it downloads a seemingly benign BMP file from a remote server, which then extracts and activates the Winos4.0 DLL file. The malware’s first stage creates an environment to deploy additional modules and establishes persistence on the infected machine by creating registry keys or scheduled tasks.
Winos4.0’s Advanced Capabilities and Security Threats
In the following stages, the framework decodes hidden files to inject shellcode and load various modules essential for controlling compromised systems. Key functions include clipboard monitoring, system information gathering and checking for antivirus software, crypto wallet extensions and other security applications.
This sophisticated framework also targets educational organizations, with file descriptions indicating a possible focus on “Campus Administration” functions.
Further analysis reveals that Winos4.0 communicates with command-and-control (C2) servers to download encrypted modules. It retrieves the C2 server addresses from specific registry keys, enabling it to log in and maintain connectivity.
This connection allows the malware to receive commands and download modules to perform actions such as document management, screen capture and environment monitoring, among other surveillance functions.
“Winos4.0 is a powerful framework, similar to Cobalt Strike and Sliver, that can support multiple functions and easily control compromised systems,” Fortinet warned.
“The entire attack chain involves multiple encrypted data and lots of C2 communication to complete the injection. Users should be aware of any new application’s source and only download the software from qualified sources.”