A new cybersecurity threat has emerged, targeting Taiwanese organizations with a malware known as Winos 4.0. This campaign utilizes phishing emails that impersonate the National Taxation Bureau of Taiwan, aiming to trick recipients into downloading malicious files.

The campaign, detected by Fortinet FortiGuard Labs, deviates from earlier methods that typically leveraged harmful gaming applications. The emails claim to include a document listing businesses scheduled for tax inspection, prompting users to forward it to their company’s financial personnel. This document, however, is a ZIP file concealing a malicious DLL named "lastbld2Base.dll." This file initiates a sequence of events leading to the download of the Winos 4.0 module from a remote server, which is designed to extract sensitive information from compromised systems.

This malware is equipped with capabilities to capture screenshots, log keystrokes, modify clipboard contents, monitor USB devices, execute shellcode, and operate crucial system controls, effectively gaining control over user interactions. Fortinet researchers also identified an additional attack vector that installs an online module to capture activity on platforms like WeChat and banking sites.

The intrusion set responsible for distributing the Winos 4.0 malware is associated with groups referred to as Void Arachne and Silver Fox. Additionally, the malware is reportedly related to another remote access trojan known as ValleyRAT, which has a known history of targeting Chinese-speaking users. Both Winos and ValleyRAT are adaptations of the open-sourced Gh0st RAT, originally developed in China.

As the attack landscape evolves, Winos 4.0 has integrated a CleverSoar installer, which checks user language settings before running, primarily targeting Chinese and Vietnamese speakers. The strategy reflects a calculated approach to limit infection to specific regions.

Recently, the Silver Fox APT has expanded its operations, utilizing harmful versions of Philips DICOM viewers to deploy ValleyRAT and subsequently introduce a keylogger and cryptocurrency miner onto affected computers. This combination of malware is designed to exploit system resources for financial gain while ensuring persistent access for the attackers.

This new wave of attacks underscores the importance of cybersecurity vigilance, as threat actors adapt their methods to exploit specific vulnerabilities in their targets.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.