This dangerous new malware affects Windows devices by hiding in games
- Security researchers discover a new malware framework called Winos4.0
- It can monitor the clipboard, collect system information and more
- The attackers appear to be targeting the education sector
Experts have discovered a new malicious software framework that targets Windows users by hiding in games and gaming-related software.
A report from cybersecurity researchers FortiGuard Labs, which dubbed the framework ‘Winos4.0’, claims that hackers have advertised various installation tools, performance boosters, optimizers and similar fake software that actually infects the targets with Winos4.0, an advanced version of Gh0strat.
Winos4.0 can monitor the clipboard, collect system information, check for antivirus software, retrieve information from cryptocurrency wallet extensions and more.
Winos4.0 attacks
Usually, software frameworks like this can cause a lot of damage. Compared to ‘simple’ malware, a framework provides an environment for deploying, managing and controlling various malware tools and modules, as part of a coordinated attack. Frameworks are modular and allow attackers to customize and control attacks based on their objectives and responses from target systems.
When it comes to the success of the campaign and the potential victims, FortiGuard Labs doesn’t go into much detail, aside from the fact that the victims were most likely in the education sector: “Analysis of the decrypted DLL file reveals potential targeting of the education sector, as indicated by the file description, “校园政务” (Campus Administration),” the researchers said at one point in the report.
In another document, they described a DLL file called “学籍系统,” meaning “Student Registration System,” another piece of evidence suggesting the attackers may be targeting educational organizations.
“Winos4.0 is a powerful framework, similar to Cobalt Strike and Sliver, that can support multiple functions and easily monitor compromised systems. Threat campaigns use gaming-related applications to trick a victim into downloading and executing the malware without caution and successfully perform deep control over the system,” the researchers warned. “The entire attack chain involves multiple encrypted data and many C2 communications to complete the injection. Users should be aware of the source of any new application and download the software only from qualified sources.”