A new malware campaign has targeted companies in Taiwan with the Winos 4.0 variant, distributed through phishing emails. The malicious emails, disguised as official correspondence from Taiwan’s National Taxation Bureau, instruct recipients to download an attachment purportedly containing a list of enterprises due for tax inspection. However, the file is a ZIP archive that holds a malicious DLL file, “lastbld2Base.dll,” which facilitates the next stage of the attack by deploying shellcode. This code connects to a remote server, ultimately installing the Winos 4.0 malware and enabling the theft of sensitive data from the infected system.
The Winos 4.0 malware is equipped with multiple capabilities to monitor and steal information.
It can capture screenshots, log keystrokes, manipulate clipboard content, and monitor connected USB devices. Furthermore, it enables the execution of sensitive commands like cmd.exe, even bypassing security prompts from specific security software. Researchers have also noted that a secondary attack chain was detected, where the malware downloads additional modules capable of capturing screenshots from messaging apps like WeChat and from online banking sites.
This attack campaign has been attributed to the cyber group known as Silver Fox, with the Winos 4.0 malware being a variation of the Gh0st RAT, an open-source remote access Trojan (RAT) originally developed in China. In addition to its evolution, the malware is also connected to another remote access tool, ValleyRAT, which shares a similar origin. The attack’s complex nature is demonstrated through the involvement of multiple malicious tools, including the CleverSoar installer, which checks the system’s language before continuing the infection.
This language-based check suggests that the primary targets of the attack are users in Chinese and Vietnamese-speaking regions.
The Silver Fox group, responsible for the Winos 4.0 malware, has also been linked to a series of other cyberattacks, including one involving trojanized Philips DICOM viewers. This campaign utilizes the viewer to deploy the ValleyRAT backdoor, which is followed by the installation of a keylogger and cryptocurrency miner on the victim’s computer. The use of the trojanized DICOM viewers is a strategic move to infect systems, while the keylogger enables the theft of credentials and personal data, and the crypto miner exploits system resources for financial gain.
