The new campaign targets Taiwanese businesses using malware known as Winos 4.0 as part of a phishing email disguised as the country’s national tax office.
The campaign, detected last month by Fortinet Fortiguard Labs, shows a deviation from previous attack chains that leveraged malicious game-related applications.
“The sender claimed that the attached malicious files were a list of companies scheduled for tax inspections, and asked the recipient to transfer the information to the company’s treasurer,” security researcher Pay Han Riao said in a report shared with Hacker News.
This attachment mimics the official Treasury document and encourages recipients to download a list of companies scheduled for tax inspections.
But in reality, the list is a zip file containing the malicious dll (“lastbld2base.dll”) that lays the foundation for the next attack phase, leading to the execution of shellcode responsible for downloading Winos 4.0 modules from the remote server (“206.238.221[.]60”) To collect sensitive data.
A component called a login module can allow sensitive actions (such as cmd.exe) when screenshots, logging keystrokes, modifying clipboard content, monitoring connected USB devices, running shellcode, and when security prompts from Kingsoft Security and Huorong appear.
Fortinet also observed a second attack chain that downloads an online module that can capture screenshots of WeChat and online banks.
It is worth noting that Arachne and Silver Fox monikers are assigned to intrusion sets that distribute Winos 4.0 malware. The malware also overlaps with another remote access Trojan tracked as Valleyrat.
“Boths come from the same source: Gh0st rats developed in China and opened sourced in 2008,” Daniel Dos Santos, head of security research at Vedere Labs at Forescout, told Hacker News.
“Winos and Valleyrat are variations of GH0st rats due to Silver Fox by various researchers at various points. Winos was commonly used in 2023 and 2024, while valley rats are more commonly used.
Valleyrat, first identified in early 2023, was recently observed using fake chromium sites as a conduit that infects Chinese-speaking users. A similar drive-by download scheme has also been adopted to provide GH0st rats.
Additionally, the Winos 4.0 attack chain incorporates what is called the Cleversoar installer, which is run by MSI installer packages distributed as fake software or game-related applications. It is also dropped along with Winos 4.0 via Cleversoar.
“Cleversoar Installer […] Check your user’s language settings to see if it is set to Chinese or Vietnamese,” Rapid7 said in late November 2024. “If language is not recognized, the installer will terminate and effectively prevent infection. This action strongly suggests that threat actors are primarily targeting victims in these regions.”
This disclosure is made as Silver Fox Apt is linked to a new campaign that will leverage the Trojanized version of Philips DiCom Viewers to deploy ValleyRat. In particular, this attack has been found to disable antivirus software using a vulnerable version of the TrueSight driver.
“The campaign leverages lures to infect troilized DICOM viewers with victim systems to backdoors (ValleyRats) for remote access and control, keyloggers to capture user activity and credentials, and crypto miners who use system resources for financial gain,” Forescout said.
Source link
