A newly discovered campaign is targeting Taiwanese companies with a advanced malware known as Winos 4.0, which is being distributed through phishing emails that impersonate the National Taxation Bureau of Taiwan.
This campaign, which was detected by Fortinet FortiGuard Labs last month, marks a significant shift in tactics from previous attack chains that utilized malicious game-related applications to spread the malware.
According to security researcher Pei Han Liao, “The sender claimed that the malicious file attached was a list of enterprises scheduled for tax inspection and asked the receiver to forward the information to their company’s treasurer,” in a report shared with The Hacker News.
The attachment is disguised as an official document from the Ministry of Finance, prompting the recipient to download the list of enterprises scheduled for tax inspection.
However, the list is actually a ZIP file containing a malicious DLL (“lastbld2Base.dll”) that initiates the next stage of the attack, ultimately leading to the execution of shellcode responsible for downloading a Winos 4.0 module from a remote server (“206.238.221[.]60”) to gather sensitive data.
The Winos 4.0 module, described as a login module, has the capability to capture screenshots, log keystrokes, modify clipboard content, monitor connected USB devices, execute shellcode, and perform sensitive actions (e.g., cmd.exe) when security prompts from Kingsoft Security and Huorong are displayed.
Fortinet also observed a second attack chain that downloads an online module capable of capturing screenshots of WeChat and online banks.
Notably, the intrusion set responsible for distributing the Winos 4.0 malware has been identified as Void Arachne and Silver Fox, with the malware also overlapping with another remote access trojan known as ValleyRAT.
According to Daniel dos Santos, Head of Security Research at Forescout’s Vedere Labs, “They are both derived from the same source: Gh0st RAT, which was developed in China and open-sourced in 2008.”
“Winos and ValleyRAT are variations of Gh0st RAT attributed to Silver Fox by different researchers at different points in time. Winos was a name commonly used in 2023 and 2024 while now ValleyRAT is more commonly used. The tool is constantly evolving, and it has both local Trojan/RAT capabilities as well as a command-and-control server.”
ValleyRAT, first identified in early 2023, has been recently observed using fake Chrome sites to infect Chinese-speaking users. Similar drive-by download schemes have also been employed to deliver Gh0st RAT.
Furthermore, Winos 4.0 attack chains have incorporated a CleverSoar installer that’s executed through an MSI installer package distributed as fake software or gaming-related applications. Additionally, the open-source Nidhogg rootkit is also dropped alongside Winos 4.0 via CleverSoar.
“The CleverSoar installer […] checks the user’s language settings to verify if they are set to Chinese or Vietnamese,” Rapid7 noted in late November 2024. “If the language is not recognized, the installer terminates, effectively preventing infection. This behavior strongly suggests that the threat actor is primarily targeting victims in these regions.”
The disclosure comes as the Silver Fox APT has been linked to a new campaign that leverages trojanized versions of Philips DICOM viewers to deploy ValleyRAT, which is then used to drop a keylogger and a cryptocurrency miner on victim computers. Notably, the attacks exploit a vulnerable version of the TrueSight driver to disable antivirus software.
“This campaign leverages trojanized DICOM viewers as lures to infect victim systems with a backdoor (ValleyRAT) for remote access and control, a keylogger to capture user activity and credentials, and a crypto miner to exploit system resources for financial gain,” Forescout said.
