- Security researchers spot new malware framework called Winos4.0
- It is capable of monitoring the clipboard, gathering system information, and more
- The attackers seem to be targeting the educational sector
Experts have detected a new malicious software framework targeting Windows users by hiding in games and game-related software.
A report from cybersecurity researchers FortiGuard Labs, which named the framework “Winos4.0”, claims hackers have been advertising different installation tools, performance boosters, optimizers, and similar fake software that actually infects the targets with Winos4.0, an advanced version of Gh0strat.
Winos4.0 is capable of monitoring the clipboard, gathering system information, checking for antivirus software, grabbing information from cryptocurrency wallet extensions, and more.
Winos4.0 attacks
Usually, software frameworks such as this one are capable of causing plenty of damage. Compared to “simple” malware, a framework provides an environment for deploying, managing, and controlling different malware tools and modules, as part of a coordinated attack. Frameworks are modular and allow attackers to tailor and control attacks based on their objectives and responses from target systems.
When it comes to the campaign’s success, and potential victims, FortiGuard Labs does not go into much detail, aside that the victims were most likely in the education industry: “Analysis of the decoded DLL file reveals a potential targeting of the education sector, as indicated by its file description, “校园政务” (Campus Administration),” the researchers said at one point of the report.
In another, they described a DLL file named “学籍系统,” meaning “Student Registration System,” - another piece of evidence suggesting that the attackers could be targeting educational organizations.
“Winos4.0 is a powerful framework, similar to Cobalt Strike and Sliver, that can support multiple functions and easily control compromised systems. Threat campaigns leverage Game-related applications to lure a victim to download and execute the malware without caution and successfully deploy deep control of the system,” the researchers warned. “The entire attack chain involves multiple encrypted data and lots of C2 communication to complete the injection. Users should be aware of any new application's source and only download the software from qualified sources.”
You might also like
- Dangerous LightSpy malware is now targeting macOS devices — here's what we know
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
