Chinese-speaking users are the target of a never-before-seen threat activity cluster codenamed Void Arachne that employs malicious Windows Installer (MSI) files for virtual private networks (VPNs) to deliver a command-and-control (C&C) framework called Winos 4.0.
"The campaign also promotes compromised MSI files embedded with nudifiers and deepfake pornography-generating software, as well as AI voice and facial technologies," Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Ahmed Mohamed Ibrahim said in a technical report published today.
"The campaign uses [Search Engine Optimization] poisoning tactics and social media and messaging platforms to distribute malware."
The security vendor, which discovered the new threat actor group in early April 2024, said the attacks entail advertising popular software such as Google Chrome, LetsVPN, QuickVPN, and a Telegram language pack for the Simplified Chinese language to distribute Winos. Alternate attack chains leverage backdoored installers propagated on Chinese-language-themed Telegram channels.
The links surfaced via black hat SEO tactics point to dedicated infrastructure set up by the adversary to stage the installers in the form of ZIP archives. For attacks targeting Telegram channels, the MSI installers and ZIP archives are directly hosted on the messaging platform.
The use of a malicious Chinese language pack is interesting not least because it poses a huge attack surface. Other kinds of software purport to offer capabilities to generate non-consensual deepfake pornographic videos for use in sextortion scams, AI technologies that could be used for virtual kidnapping, and voice-altering and face-swapping tools.
The installers are designed to modify firewall rules to allow-list inbound and outbound traffic associated with the malware when connected to public networks.
It also drops a loader that decrypts and executes a second-stage payload in memory, which subsequently launches a Visual Basic Script (VBS) to set up persistence on the host and trigger the execution of an unknown batch script and deliver the Winos 4.0 C&C framework by means of a stager that establishes C&C communications with a remote server.
An implant written in C++, Winos 4.0 is equipped to carry out file management, distributed denial of service (DDoS) using TCP/UDP/ ICMP/HTTP, disk search, webcam control, screenshot capture, microphone recording, keylogging, and remote shell access.
Underscoring the intricacy of the backdoor is a plugin-based system that realizes the aforementioned features through a set of 23 dedicated components compiled for both 32- and 64-bit variants. It can be further augmented via external plugins integrated by the threat actors themselves depending on their needs.
The core component of WinOS also packs in methods to detect the presence of security software prevalent in China, in addition to acting as the main orchestrator responsible for loading the plugins, clearing system logs, and downloading and executing additional payloads from a provided URL.
"Internet connectivity in the People's Republic of China is subject to strict regulation through a combination of legislative measures and technological controls collectively known as the Great Firewall of China," the researchers pointed out.
"Due to strict government control, VPN services and public interest in this technology have notably increased. This has, in turn, enhanced threat actors' interest in exploiting the heightened public interest in software that can evade the Great Firewall and online censorship."
Update
The KnownSec 404 Team, in a follow-up analysis published on July 9, 2024, said it observed a cybercrime threat actor it tracks as Silver Fox leveraging the Winos malware as part of social engineering attacks impersonating Chinese national institutions and security companies like Sangfor.
"Previously, Silver Fox’s activities primarily targeted tax and finance personnel by impersonating tax-related links and websites," it said.
"However, the targets of this recent attack are very different from the previous ones, indicating a departure from typical cybercrime activities. There's a possibility that this attack involves a deliberate attempt by an APT group to blend in with cybercrime activities for covert purposes."