Researchers at Fortinet have observed multiple samples of an advanced malware, Winos 4.0, hidden within gaming-related applications such as speed boosters, optimization utilities, and installation tools.
Winos is an advanced malware with several components handling distinct functions that collectively give the attacker complete control over the victim’s machine. The malware is similar to CobaltStrike and Sliver, both of which are legitimate tools which can be used for malicious purposes and have been favourites of cybercriminals for a long time now. Most prominently, Winos has been used in the Sliver Fox campaign which is suspected to be linked to the Chinese Government.
To fully grasp how Winos 4.0 infiltrates and compromises your computer, it is important to understand the series of steps it takes from initial infection to complete control. This sequence, known as the attack chain, outlines how the malware is delivered, executed, and ultimately used to exploit your system. Let’s break down each stage to see how seemingly harmless gaming applications can become gateways for such advanced threats.
The Attack Chain
Speed and optimisation are one thing all gamers are obsessed with, and you might relate to this yourself. Video games are generally heavy-duty applications that consume a lot of processing power, making a computer slow down significantly. In order to overcome this, many gamers look for methods to increase their computers’ gaming performance. This Winos 4.0 malware campaign preys on the need for optimised gaming experiences by creating fake applications that claim to speed up your computer by optimising its processing power but in reality are mere vehicles for the delivery of malware to unsuspecting victims. Additionally, the campaign makes use of installation tools in the same manner enabling them to bypass basic security checks, increasing the likelihood of successful infection.
Be it the optimisation or the installation tools, once the user runs the application, it performs a series of file retrievals from a remote server which are then decoded to finally yield the malware. The malware will then establish persistence as its first action i.e. make sure it can reactivate itself if the machine is restarted and also in some cases reinstall itself in case it is kicked out and then establish contact with the Command and Control(C2) server which is used by the attacker to control what it does.
Capabilities of Winos 4.0
As mentioned before, Winos 4.0 is not just a malware but rather a framework similar to Cobalt Strike and Sliver. Here are some features that it offers:
- Advanced Command-and-Control (C&C) Framework: Winos 4.0 has a robust architecture that allows it to maintain efficient control over numerous online endpoints, facilitating a range of malicious activities.
- Modular Components: This malware is built from the Gh0st RAT framework and includes several modular components, each designed to perform specific functions, enhancing its versatility and effectiveness in executing attacks.
- Plugin Delivery System: Winos 4.0 can deliver additional plugins from its C&C server, enabling it to capture screenshots and upload sensitive documents from infected devices.
- Multi-Stage Infection Process: The infection begins when users run malicious game-related applications, triggering a series of downloads and unpacking routines to establish the malware’s presence on the system.
- Payload Delivery: After initial execution, Winos 4.0 retrieves and decodes files from remote servers to set up its operational environment, which includes downloading additional payloads necessary for its malicious activities.
Checking for Infection, Prevention, and Mitigation
Checking for Infection
To determine if your system has been infected with Winos 4.0 malware, you can follow several steps that involve checking for unusual behaviour, examining specific files, and utilizing security tools. Here’s how to effectively check for an infection:
- Unusual Performance: Look for signs of slow performance, unexpected crashes, or applications that take longer to load than usual.
- Unexpected Network Activity: Check for unusual network traffic or connections to unknown servers, especially those associated with command-and-control (C&C) servers.
- Review Recent Installations: Go through your installed applications and look for any that you do not recognize or that were installed without your knowledge. Pay particular attention to game optimization tools or installation utilities.
- Malicious File Names: Be cautious of files with suspicious names or extensions, such as those mimicking legitimate software but containing terms like “优化” (optimization) or “安装” (installation).
- Open the Registry Editor (type
regeditin the Run dialog) and navigate to look for entries that reference suspicious executables or DLLs related to Winos 4.0. - Use file integrity monitoring tools to track changes in critical system files and directories.
- If you suspect specific files are infected, check them against known malware databases like VirusTotal.
Prevention and Mitigation
- Keep Software Up-to-Date: Regularly update your operating system, antivirus, and other software to stay protected against new security threats. Turn on automatic updates to make this easier.
- Use Antivirus Software: Install trusted antivirus software and keep it updated. It can catch and remove malicious files that might slip through other defenses.
- Secure Your Network: Turn on your firewall to block harmful connections. If possible, use a secure router with built-in security features to protect all devices on your network. Here’s a FREE Guide to refer to.
- Limit Unknown Programs: Avoid installing unknown or untrusted applications, especially from unofficial sources. Stick to well-known and verified software sources to avoid accidentally installing malware.
- Watch for Unusual File Changes: Use security tools that monitor for unexpected changes to important system files. Also, regularly check your computer for any unusual files or programs that you don’t remember installing.
- Strengthen Account Security: Limit access by using strong, unique passwords for each account, and enable two-factor authentication (2FA) when available for added protection.
- Learn About Scams and Phishing: Be aware of phishing emails and suspicious links or attachments. Regularly refresh your knowledge on identifying phishing scams, which are common ways for malware to get into your system.
- Regular Backups: Frequently back up your important data to an external drive or cloud service. If malware does get in, this will allow you to restore your files safely without paying a ransom or losing data.
- Stay Informed on New Threats: Subscribe to security updates from trusted sources, like your antivirus provider, to stay informed on new risks and how to avoid them.
- Report Suspicious Activity: If you notice any unusual behaviour on your computer, such as new programs you didn’t install or slower performance, scan your device with antivirus software and take steps to secure your accounts.
In conclusion, the Winos 4.0 malware campaign demonstrates how seemingly innocent gaming apps and optimization tools can be repurposed to infect users’ computers. While this malware specifically targets Chinese-speaking users, it employs common tactics that anyone could encounter, such as posing as legitimate software, establishing hidden network connections, and using deceptive file names. Recognizing the risks associated with downloading unverified apps—especially those promising performance boosts or game enhancements—can help us stay safer online. By staying alert to unusual system behaviour, using trusted sources for downloads, and keeping security software up-to-date, we can protect our devices from threats like Winos 4.0. Ultimately, awareness and careful downloading habits are key to defending against malware disguised as helpful gaming tools.