Winos4.0 RAT Targets Gamers and Educational Institutions in New Malware Campaign
Threat Group: Unknown
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Social engineering through gaming-related applications targeting Windows
Malware Used: Winos4.0
Threat Score: High (8.5/10) — due to its sophisticated evasion, control functions, and targeting of gaming and educational sectors
Last Threat Observation: November 6, 2024, by FortiGuard Labs
Overview
Winos4.0, a new RAT framework based on Gh0strat, is spreading through gaming-related applications. FortiGuard Labs recently identified it embedded in installation tools, performance boosters, and optimization utilities. This RAT's modular structure allows it to execute a wide range of functions, from environment checks to system monitoring and backdoor control. During its campaign, the malware seems to have also targeted educational users, as evidenced by file names and descriptions in its payload.
Key Details
Delivery Method: Game-related applications like speed boosters and installers
Target: Windows systems, especially in gaming and educational sectors
Functions:
- Antivirus checks for active security tools
- System reconnaissance, gathering user data and network information
- Screenshot capturing for continuous monitoring
- Clipboard hijacking and crypto wallet scanning for OKX and MetaMask extensions
- Persistence establishment using scheduled tasks or registry modifications
Obfuscation: XOR encryption, modular components, environment checks for monitoring software
Attack Vectors
Winos4.0 infects systems through gaming applications, masquerading as tools like installation aids. Upon execution, it downloads a BMP file from a command-and-control (C2) server to initiate infection. The BMP file, encoded via XOR, activates a DLL ("you.dll"), starting the infection chain.
- Execution and Persistence: The DLL file creates a folder in “C:\Program Files (x86)” and drops additional encrypted files.
- Scheduled Tasks/Registry Modifications: Sets up persistence by creating scheduled tasks named “Window Defender Uqdata” or modifying registry entries.
- C2 Communication: Connects to C2 server (202[.]79[.]173[.]4) over TCP, allowing attackers to control the compromised system.
- Module Injection: Downloads modules from C2, enabling full remote control, including document management and live system monitoring.
Known Indicators of Compromise (IoCs)
URLs:
hxxp://ad59t82g[.]com/1/lon2[.]bmp
hxxp://ad59t82g[.]com/1/text[.]bmp
hxxp://ad59t82g[.]com/1/d[.]bmp
hxxp://ad59t82g[.]com/1/t2[.]bmp
hxxp://ad59t82g[.]com/1/h[.]bmp
Domains:
ad59t82g[.]com
IP Addresses:
202[.]79[.]173[.]4
SHA256 Hashes:
c9817d415d34ea3ae07094dae818ffe8e3fb1d5bcb13eb0e65fd361b7859eda7
284cf31ebb4e7dc827374934ad0726f72e7aaef49cadc6aa59d2a2ff672d3fe8
b2a3aaf4eb4deb85462e1ee39c84caf2830091c1bff8014ad13147897b25e24c
b763d77b7aaa83d6c4a9e749cd3c7638127e755d3dc843b15b6c4afce1f468b5
dcdbc3b246233befa25b67909a01b835f1875f4047875ef13f1b801cd2da6fcd
3fae0495fd0acc7722c2482c0ef3c6ab9ee41acbcaac46a8933c7b36b8896378
f41236ab5ceffc5379fcf444de358cbc6f67beb31d0e0fd3f7ed0f501eb740ff
80b1d6411e29e51e54f20f46856d31b28e087e9244693e65d022b680c4ba00ce
1a48347f5fc7c63cc03f30810f961133bd3912caf16ac403e11bc3491117181d
8748bb7512f16f8122779171686abe0fa0060f1126298290e240457dc90d0aa7
1354796b44239eef177431584848029161c232401a9580481dbfb5196465250e
bef32532923903b12f04b54dd06ec81661f706c3b1397bc77c45492db3919248
033965f3063bc2a45e5bd3a57ffce098b9308668d70b9b3063f066df5f3e55dd
922512203c7b9fa67e8db2f588ff4945f63e20c4bc0aafccdba749a442808ace
04edb6585118d09205ee693a54249ed68ebbf68b3fc3d711d2aa0c815b7b3a23
51c7f320b95a64bcff050da86c7884bb4f89a5d00073d747f0da7345c8a4501f
ff0c28c81cd0afd78f78c79863c9f4c8afd9d3877a213dfc2dbb55360b7d93ab
a27dc6e5aea0c3168117cfde2adb01f73f20881fc6485b768915216c46115064
8f0079a41a262536f502b4b57473effd6ab7955bc2d6e99e0910df18e990a9f6
37104f3b3646f5ffc8c78778ec5fdc924ebb5e5756cb162c0e409d24bedf406d
a30b68ed39c1517d10b747c2fcd7a72cb12dc8f434203243e7c50df0e56d17d0
-
Mitigation and Prevention
- User Awareness: Educate users on avoiding downloads from untrusted sources.
- Email Filtering: Implement email filtering to reduce phishing distribution.
- Antivirus Protection: Ensure antivirus is up-to-date to detect Winos4.0.
- Two-Factor Authentication (2FA): Use 2FA for critical systems.
- Monitor Logs: Regularly review logs for anomalies in user behavior or unusual network connections.
- Regular Updates: Ensure all software is current with patches applied.
Conclusion
Winos4.0 is a robust RAT with significant control capabilities over compromised Windows systems, posing an ongoing risk, especially to gaming and educational users. Organizations should implement security practices to detect and mitigate the threat effectively, keeping systems secure from unauthorized remote access.