A significant cybersecurity threat has emerged targeting enterprises in Taiwan, characterized by a new strain of malware known as Winos 4.0. This malware is disseminated through phishing emails disguising themselves as communications from the National Taxation Bureau of Taiwan.
The malicious campaign was first identified last month by Fortinet’s FortiGuard Labs, marking a distinct shift from earlier attack methods that primarily employed compromised gaming applications as vectors for infection.
According to security analyst Pei Han Liao, the ruse involves sending an email that claims the attached file contains a list of companies scheduled for tax inspection, urging the recipient to share this information with their corporate treasurer. This attachment is designed to resemble an official document from the Ministry of Finance and encourages users to download it.
However, this seemingly innocuous file is actually a ZIP archive containing a malicious DLL file named “lastbld2Base.dll”. Once executed, this component sets off a chain reaction that leads to the execution of shellcode, ultimately retrieving a Winos 4.0 module from a remote server located at “206.238.221[.]60”. This module is employed to harvest sensitive information.
The login module inherent in Winos 4.0 is multifaceted, capable of taking screenshots, logging keystrokes, altering clipboard contents, monitoring USB devices, executing shellcode, and facilitating commands that require elevated privileges, particularly in response to security prompts from Kingsoft Security and Huorong.
Fortinet has also indicated that it has detected concurrent attack vectors that download an online module capable of capturing screenshots from WeChat and online banking platforms.
The Winos 4.0 malware has been associated with an intrusion set also known as Void Arachne and Silver Fox. This malware shows intersections with another remote access trojan, ValleyRAT, which has drawn interest due to its shared lineage with Gh0st RAT, a tool developed in China and released as open-source in 2008. Forescout’s Head of Security Research, Daniel dos Santos, elaborates on the evolution of these tools, noting their consistent adaptations and variations by various researchers over time.
ValleyRAT, identified in early 2023, has reportedly used fake Chrome sites to infect users in Chinese-speaking regions, marking a shift towards vulnerabilities in trusted applications that enable infection through drive-by download schemes.
The recent disclosures reveal that attack chains involving Winos 4.0 utilize a CleverSoar installer, often bundled as fake software or gaming applications. Alongside Winos 4.0, the CleverSoar deployment also integrates the open-source Nidhogg rootkit.
Rapid7’s latest findings illustrate that this CleverSoar installer tailors its deployment based on user language settings, primarily targeting individuals who speak Chinese or Vietnamese. If the installer detects an unrecognized language, it promptly aborts, indicating a clear focus on specific regional targets.
Additionally, the Silver Fox APT group is reportedly involved in a new campaign distributing trojanized versions of Philips DICOM viewers, which deploy ValleyRAT. This methodology has seen the incorporation of a keylogger and a cryptocurrency miner within the infected systems. The attacks utilize a known vulnerability in the TrueSight driver to disable antivirus protections.
This multifaceted approach highlights the ongoing evolution of cyber threats, leveraging sophisticated techniques to achieve remote access, data exfiltration, and resource exploitation on victim machines. Business owners should remain vigilant, employing robust cybersecurity measures to safeguard against these emerging risks.
