Threat Research

Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan

Fortinet
Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan

In January 2025, an advanced malware framework named Winos4.0 was identified targeting Taiwanese companies through phishing emails disguised as tax inspection documents. This attack was executed using various malicious executables and DLLs, leading to a high severity breach where stolen information could enable future attacks. Affected: Microsoft Windows, Taiwan companies

Keypoints :

  • Winos4.0 is an advanced malware framework utilized in targeted attacks.
  • The malware was distributed via phishing emails masquerading as documents from Taiwan’s National Taxation Bureau.
  • Malicious files were embedded in ZIP archives that appeared to contain legitimate tax inspection lists.
  • The attack sequence included launching executables to load malicious DLLs.
  • The malware employs tactics like anti-sandboxing and UAC bypasses.
  • Various threads are created by the malware for tasks like keylogging, taking screenshots, and manipulating clipboard data.
  • FortiGuard Antivirus solutions are capable of detecting and blocking the malware.
  • Ongoing monitoring and threat intelligence sharing are crucial for mitigating such threats.

MITRE Techniques :

  • T1071.001 (Application Layer Protocol: Web Protocols) – Utilizes HTTP/S for command and control (C2) communication.
  • T1203 (Exploitation for Client Execution) – Malicious document attachments used in phishing emails to exploit recipient systems.
  • T1546.001 (Event Triggered Execution: Windows Service) – Persistence mechanism creating a copy of the malware as a Windows service.
  • T1060 (Registry Run Keys / Startup Folder) – Modifies registry keys to ensure persistence of the malware.
  • T1056.001 (Input Capture: Keylogging) – Records user keystrokes to capture sensitive information.
  • T1114.001 (Email Collection: From Desktop) – Collects email data through manipulated processes.

Indicator of Compromise :

  • [IP Address] 43[.]137[.]42[.]254
  • [IP Address] 206[.]238[.]221[.]60
  • [Domain] 9010[.]360sdgg[.]com
  • [Domain] 1234[.]360sdgg[.]com
  • [Hash] 36afc6d5dfb0257b3b053373e91c9a0a726c7d269211bc937704349a6b4be9b90e3c9af7066ec72406eac25cca0b312894f02d6d08245a3ccef5c029bc297bd267395af91263f71cd600961a1fd33ddc222958e83094afdde916190a0dd5d79cf4d3477a19ff468d234a5e39652157b2181c8b51c754b900bcfa13339f577e7cc9a8db23d089aa71466b4bde51a51a8cfdcc28e8df33b4c63ce867bd381e5fe5

Source: https://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint