Cybersecurity teams observed a sharp escalation in attacks leveraging a newly evolved malware strain Winos 4.0 specifically targeting Microsoft Windows environments.
First identified by FortiGuard Labs during a widespread campaign against Taiwanese users in January, this malware employs advanced distribution tactics and evasion techniques, highlighting an aggressive evolution in contemporary cyberthreats.
Attack Chain Leveraging HoldingHands RAT
The Winos 4.0 campaign primarily utilizes highly targeted phishing emails, often disguised as official correspondence from governmental organizations such as Taiwan’s National Taxation Bureau.
These emails contain either HTML attachments or files masquerading as account statements, luring recipients into clicking malicious links or downloading attachments.
The malicious links typically redirect users to pages hosting password-protected ZIP archives, containing a multitude of carefully crafted files required for the malware to execute its payload and achieve persistence.
The architecture of Winos 4.0 is distinguished by the integration of the HoldingHands Remote Access Trojan (RAT), also known as Gh0stBins.
The ZIP archive distributed through phishing contains both legitimate executables and malicious dynamic-link libraries (DLLs), as well as encrypted shellcode modules.
The attack begins with DLL side-loading, where a benign executable loads a DLL (e.g., dokan2.dll) which in turn decrypts and executes stage-two shellcode from an accompanying file (dxpi.txt).
This shellcode incorporates several advanced functions, including anti-virtual machine checks (exiting if physical memory is below 8GB), privilege escalation routines, and targeted system installations.
Targeted Campaigns Exploit Phishing
Persistence is achieved by creating unique registry entries specifically within SOFTWARE\MsUpTas and deploying malicious payloads into the Windows PowerShell update directory, camouflaged as legitimate system files.
The malware exhibits modularity and flexibility; different ZIP structures have been documented, but all maintain a similar execution chain. Notably, the presence of password-protected archives complicates static detection and analysis.
Winos 4.0 leverages privilege escalation strategies by impersonating system users and services, including TrustedInstaller, to obtain maximum access.
The malware also incorporates anti-analysis logic, terminating its execution if it detects sandboxing or if previous infection artifacts are present on the host, such as specific renamed DLLs (e.g., Blend.dll or BrokerClientCallback.dll).
Once operational, the core payload msgDb.dat, derived from HoldingHands RAT establishes communication with command and control (C2) servers using a proprietary protocol.
It transmits system reconnaissance data, maintains a heartbeat mechanism to ensure C2 connectivity, and is capable of downloading additional modules such as remote desktop tools and file managers.
The communication structure is robust, leveraging clearly defined packet formats and commands to execute arbitrary functions, modify registry keys, and upgrade its capabilities on the fly.
Further investigation revealed that the threat actors frequently rotate distribution infrastructure and payloads, utilizing an assortment of domains and cloud storage endpoints to evade static blacklists.
The ongoing campaign evidences strategic targeting and operational flexibility, with threat actors continuously adapting their toolsets and attack vectors, potentially incorporating other RATs like Gh0stCringe as part of their arsenal.
Security vendors, including Fortinet, have responded by updating detection signatures across their endpoint, email, and gateway security solutions.
Customers are urged to maintain updated protections, train users against phishing risks, and monitor for known indicators of compromise (IOCs).
Indicators of Compromise (IOCs)
| Type | Value/Hash |
|---|---|
| IP Addresses | 154.91.85.204, 154.86.22.47, 156.251.17.17, 206.238.179.173, 206.238.220.60, 206.238.199.22, … |
| Domains | twsz[.]xin, twnic[.]icu, twnic[.]ink, twnic[.]ltd, twsw[.]cc, twsw[.]pro, twswz[.]top, twzfw[.]vip, … |
| Phishing Email Hashes | 6558dfb070421c674b377a0a6090593fa0c44d5b0dec5325a648583f92175ce2, d3a270d782e62574983b28bd35076b569a0b65236e7f841a63b0558f2e3a231c, … |
| PDF Hashes | a8b6c06daeede6199e69f4cafd79299219def5bf913a31829dede98a8ad2aaa9, 6fcd6aef0678d3c6d5f8c2cb660356b25f68c73e7ee24fbb721216a547d17ffa, … |
| ZIP Hashes | ac957ba4796f06c4bf0c0afb8674bbeb30eb95cef85bc68ced3ee1aa30e3acff, 9296adb71bc98140a59b19f68476d45dbb38cc60b9e263d07d14e7178f195989, … |
| Executable Hashes | e2269b38655a4d75078362856c16594e195cd647c56b8c55883b8e1286baa658, 52632d9e24f42c4651cf8db3abc37845e693818d64ab0b11c235eddf8e011b2f, … |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
