Winos4.0 RAT Targets Gamers and Educational Institutions in New Malware Campaign

Winos4.0 RAT Targets Gamers and Educational Institutions in New Malware Campaign

Threat Group: Unknown
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Social engineering through gaming-related applications targeting Windows
Malware Used: Winos4.0
Threat Score: High (8.5/10) — due to its sophisticated evasion, control functions, and targeting of gaming and educational sectors
Last Threat Observation: November 6, 2024, by FortiGuard Labs


Overview

Winos4.0, a new RAT framework based on Gh0strat, is spreading through gaming-related applications. FortiGuard Labs recently identified it embedded in installation tools, performance boosters, and optimization utilities. This RAT's modular structure allows it to execute a wide range of functions, from environment checks to system monitoring and backdoor control. During its campaign, the malware seems to have also targeted educational users, as evidenced by file names and descriptions in its payload.


Key Details

Delivery Method: Game-related applications like speed boosters and installers
Target: Windows systems, especially in gaming and educational sectors
Functions:

  • Antivirus checks for active security tools
  • System reconnaissance, gathering user data and network information
  • Screenshot capturing for continuous monitoring
  • Clipboard hijacking and crypto wallet scanning for OKX and MetaMask extensions
  • Persistence establishment using scheduled tasks or registry modifications

Obfuscation: XOR encryption, modular components, environment checks for monitoring software


Attack Vectors

Winos4.0 infects systems through gaming applications, masquerading as tools like installation aids. Upon execution, it downloads a BMP file from a command-and-control (C2) server to initiate infection. The BMP file, encoded via XOR, activates a DLL ("you.dll"), starting the infection chain.

  1. Execution and Persistence: The DLL file creates a folder in “C:\Program Files (x86)” and drops additional encrypted files.
  2. Scheduled Tasks/Registry Modifications: Sets up persistence by creating scheduled tasks named “Window Defender Uqdata” or modifying registry entries.
  3. C2 Communication: Connects to C2 server (202[.]79[.]173[.]4) over TCP, allowing attackers to control the compromised system.
  4. Module Injection: Downloads modules from C2, enabling full remote control, including document management and live system monitoring.

Known Indicators of Compromise (IoCs)

URLs:

  • hxxp://ad59t82g[.]com/1/lon2[.]bmp
  • hxxp://ad59t82g[.]com/1/text[.]bmp
  • hxxp://ad59t82g[.]com/1/d[.]bmp
  • hxxp://ad59t82g[.]com/1/t2[.]bmp
  • hxxp://ad59t82g[.]com/1/h[.]bmp

Domains:

  • ad59t82g[.]com

IP Addresses:

  • 202[.]79[.]173[.]4

SHA256 Hashes:

  • c9817d415d34ea3ae07094dae818ffe8e3fb1d5bcb13eb0e65fd361b7859eda7
  • 284cf31ebb4e7dc827374934ad0726f72e7aaef49cadc6aa59d2a2ff672d3fe8
  • b2a3aaf4eb4deb85462e1ee39c84caf2830091c1bff8014ad13147897b25e24c
  • b763d77b7aaa83d6c4a9e749cd3c7638127e755d3dc843b15b6c4afce1f468b5
  • dcdbc3b246233befa25b67909a01b835f1875f4047875ef13f1b801cd2da6fcd
  • 3fae0495fd0acc7722c2482c0ef3c6ab9ee41acbcaac46a8933c7b36b8896378
  • f41236ab5ceffc5379fcf444de358cbc6f67beb31d0e0fd3f7ed0f501eb740ff
  • 80b1d6411e29e51e54f20f46856d31b28e087e9244693e65d022b680c4ba00ce
  • 1a48347f5fc7c63cc03f30810f961133bd3912caf16ac403e11bc3491117181d
  • 8748bb7512f16f8122779171686abe0fa0060f1126298290e240457dc90d0aa7
  • 1354796b44239eef177431584848029161c232401a9580481dbfb5196465250e
  • bef32532923903b12f04b54dd06ec81661f706c3b1397bc77c45492db3919248
  • 033965f3063bc2a45e5bd3a57ffce098b9308668d70b9b3063f066df5f3e55dd
  • 922512203c7b9fa67e8db2f588ff4945f63e20c4bc0aafccdba749a442808ace
  • 04edb6585118d09205ee693a54249ed68ebbf68b3fc3d711d2aa0c815b7b3a23
  • 51c7f320b95a64bcff050da86c7884bb4f89a5d00073d747f0da7345c8a4501f
  • ff0c28c81cd0afd78f78c79863c9f4c8afd9d3877a213dfc2dbb55360b7d93ab
  • a27dc6e5aea0c3168117cfde2adb01f73f20881fc6485b768915216c46115064
  • 8f0079a41a262536f502b4b57473effd6ab7955bc2d6e99e0910df18e990a9f6
  • 37104f3b3646f5ffc8c78778ec5fdc924ebb5e5756cb162c0e409d24bedf406d
  • a30b68ed39c1517d10b747c2fcd7a72cb12dc8f434203243e7c50df0e56d17d0 -

Mitigation and Prevention

  • User Awareness: Educate users on avoiding downloads from untrusted sources.
  • Email Filtering: Implement email filtering to reduce phishing distribution.
  • Antivirus Protection: Ensure antivirus is up-to-date to detect Winos4.0.
  • Two-Factor Authentication (2FA): Use 2FA for critical systems.
  • Monitor Logs: Regularly review logs for anomalies in user behavior or unusual network connections.
  • Regular Updates: Ensure all software is current with patches applied.

Conclusion

Winos4.0 is a robust RAT with significant control capabilities over compromised Windows systems, posing an ongoing risk, especially to gaming and educational users. Organizations should implement security practices to detect and mitigate the threat effectively, keeping systems secure from unauthorized remote access.


Sources