June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
North Korean APT Kimsuky aka Black Banshee – Active IOCs
November 7, 2024
Multiple Google Chrome Vulnerabilities
November 7, 2024
North Korean APT Kimsuky aka Black Banshee – Active IOCs
November 7, 2024
Multiple Google Chrome Vulnerabilities
November 7, 2024
Severity
High
Analysis Summary
Threat actors are using the malicious Winos4.0 framework, which is disseminated through ostensibly harmless game-related programs, to target Windows users more frequently. Researchers described the toolkit in a report on attacks against Chinese users last summer. It is comparable to the post-exploitation frameworks Sliver and Cobalt Strike.
A threat actor known as Void Arachne/Silver Fox at the time enticed victims by offering different products (VPNs, Google Chrome browsers) that had been altered for the Chinese market and included the dangerous component. According to a report released recently, threat actors are increasingly using games and game-related data to target Chinese users.
The ostensibly genuine installers start a multi-step infection process by downloading a DLL file from "ad59t82g[.]com" when they are run. A DLL file (you.dll) creates the execution environment, downloads further files, and adds entries to the Windows Registry to create persistence in the first step. The second step involves inserting a shellcode connecting to the command-and-control (C2) server, loading APIs, and retrieving configuration data. Phase three involves the retrieval of additional encoded data from the C2 server by another DLL, which then stores it in the registry at "HKEY_CURRENT_USER\\Console\\0" and updates the C2 addresses. The login module is loaded in the final step of the attack chain, carrying out the main destructive actions:
- Gathers data on the environment and system (e.g., CPU, OS details, IP address).
- Checks the host for monitoring and anti-virus software.
- Collects information about the victim's individual Bitcoin wallet extensions.
- Keeps up a continuous backdoor connection to the C2 server, which enables the attacker to send commands and get more information.
- Takes screenshots, keeps an eye out for changes to the clipboard, and steals documents before exfiltrating data.
Kaspersky, Avast, Avira, Symantec, Bitdefender, Dr.Web, Malwarebytes, McAfee, AhnLab, ESET, Panda Security, and the now-defunct Microsoft Security Essentials are a few of the security programs that Winos4.0 looks for on the system. By recognizing these processes, the malware may detect whether they are operating in a monitored environment and either modify their behavior or stop their execution.
The Winos4.0 framework has been used by cybercriminals for several months, and the emergence of new campaigns suggests that its place in malicious operations has cemented. According to the researchers, the framework is strong and capable of controlling compromised computers; it functions similarly to Sliver and Cobalt Strike.
Impact
- Cyber Espionage
- Financial Loss
- Sensitive Data Theft
Indicators of Compromise
Domain Name
- ad59t82g.com
IP
- 202.79.173.4
MD5
- 8f6f306ba501a7e435db720bb97cb1e4
- a4aa2ded688283c108bafad58c20edaa
- e054e331caed0e50fc56f6b548fd10c5
- d52b869fe432078530f31fd768d13e44
- 83450778fd9684632c9a34a2573aabcf
- 1c0ae08a08e207e1a229112f80f8f7e3
- acf6755c91445fa129fef20f5f065d18
- cee32aa8ec585825f036dc118e324376
- fe019cc882171289e5b01a2184db1ee3
- b2771947ca3d022723dce62160a3d458
- f68943edb46aeb9d0dc68061aaddaaf2
- a6b308f6e5b3d04287e85f855618b7e1
- 4bc1e90982388bdf956391f56d7211a3
- 92ce0febf4817d4706757ef82e3cb55b
SHA-256
- c9817d415d34ea3ae07094dae818ffe8e3fb1d5bcb13eb0e65fd361b7859eda7
- 284cf31ebb4e7dc827374934ad0726f72e7aaef49cadc6aa59d2a2ff672d3fe8
- b2a3aaf4eb4deb85462e1ee39c84caf2830091c1bff8014ad13147897b25e24c
- b763d77b7aaa83d6c4a9e749cd3c7638127e755d3dc843b15b6c4afce1f468b5
- dcdbc3b246233befa25b67909a01b835f1875f4047875ef13f1b801cd2da6fcd
- 3fae0495fd0acc7722c2482c0ef3c6ab9ee41acbcaac46a8933c7b36b8896378
- f41236ab5ceffc5379fcf444de358cbc6f67beb31d0e0fd3f7ed0f501eb740ff
- 80b1d6411e29e51e54f20f46856d31b28e087e9244693e65d022b680c4ba00ce
- 1a48347f5fc7c63cc03f30810f961133bd3912caf16ac403e11bc3491117181d
- 8748bb7512f16f8122779171686abe0fa0060f1126298290e240457dc90d0aa7
- 1354796b44239eef177431584848029161c232401a9580481dbfb5196465250e
- bef32532923903b12f04b54dd06ec81661f706c3b1397bc77c45492db3919248
- 033965f3063bc2a45e5bd3a57ffce098b9308668d70b9b3063f066df5f3e55dd
- 922512203c7b9fa67e8db2f588ff4945f63e20c4bc0aafccdba749a442808ace
SHA-1
- 66de656287a3bff5a7bf89f9a0972d679e3afe3f
- 55e89041763e74cb9c6ec83134ef5290dcef622c
- a56178e3a84e48f7ab6482db08b52d05837dec59
- 779712ab1e17b45bfd0a787cc7477205c582a0b7
- 1673d5b476ccacaabf23dfdc34eacbe04fb062b1
- 19bc713a9ecc4d948567037f092fc7f3f6534281
- fc90769779be5a3fb0de21d9780de191fe8c4246
- 940eef78b30ad8e67719046149f40e44018e0d64
- 9bc37f95555d5a9aec0d608d5d40c6556e304eb2
- 72e9c0351f6cce1ce1fcae4ff90c78546abff991
- 1f148574a9d54050cc3f7ee49f903733f1796022
- 980be291b19eb7d4798b17816093704add66a77f
- aefa3d1a4cac34926b3fcd4e370a86c19f742f77
- 2bd5c4eab4d25b0bc00508bb453009e6280806b4
URL
- http://ad59t82g.com/1/lon2.bmp
- http://ad59t82g.com/1/text.bmp
- http://ad59t82g.com/1/d.bmp
- http://ad59t82g.com/1/t2.bmp
- http://ad59t82g.com/1/h.bmp
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Only download apps from official app stores (Google Play Store and Apple App Store) and avoid third-party app sources.
- Review the permissions an app requests during installation. If an app asks for excessive permissions that are unrelated to its functionality, consider it a red flag.
- Never trust or open links and attachments received from unknown sources/senders.
- Encourage individuals to report any suspicious activities, emails, or messages to relevant authorities, organizations, or cybersecurity experts.
- Verify the authenticity of websites, social media profiles, and apps before providing personal information or engaging with them.
- Implement strong, multi-factor authentication (MFA) for email accounts, social media profiles, and other sensitive online services.
- Keep all software and operating systems up to date with the latest security patches to minimize vulnerabilities.
- Employ robust network security measures, including firewalls and intrusion detection systems, to detect and block malicious network traffic.
- Develop and maintain an incident response plan that outlines steps to take in case of a security breach. Ensure that individuals and organizations know how to respond effectively.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Refrain from downloading apps from unofficial sources or third-party app stores. These sources are less regulated and more prone to hosting malicious apps.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using a multi-layered protection is necessary to secure vulnerable assets.
