Knownsec 404 discovered Silver Fox campaigns impersonating common tools (Google Translate, WPS, translation apps, browsers, VPNs) that use fake flash prompts and counterfeit download pages to trick users into running MSI/EXE installers which deploy the Winos remote-access Trojan. The Silver Fox family is modular and widely reused by cybercriminals and APTs (e.g., Golden Eye Dog), using obfuscation and sandbox evasion to persist and steal data. #SilverFox #Winos #GoldenEyeDog
Keypoints
- Attackers create phishing pages mimicking Google Translate, currency converters, WPS, Youdao, Bit Browser, letsvpn, and other common tools to lure downloads.
- Fake pages trigger a false “outdated Flash” prompt on any click, redirecting victims to attacker-hosted download pages containing MSI or EXE installers.
- Installers (MSI/EXE) drop components including aicustact.dll, update.bat, javaw.exe, and Microsoftdata.exe (Golang), which persist via Run registry entries.
- The MSI chain loads Xps.dtd containing shellcode that decrypts and maps an embedded PE; final PE debug strings reference “RexRat4.0.3” while core payload is winos.
- Winos implements multiple remote-control and data-theft plugins: screenshots, keylogging, clipboard theft, and other C2-driven functions.
- Silver Fox has evolved into a widely redeployed malware family after leaks of RAT source code (e.g., Winos 4.0), enabling cybercrime groups and APTs to repackage and reuse it.
- IOCs include a long installer hash, multiple phishing domains/IPs, and numerous C2 IP:port combos used for command-and-control.
MITRE Techniques
- [T1192 ] Spearphishing via Service – Phishing sites mimic popular services (e.g., Google Translate, WPS) to trick users into downloading installers (“fake Google Translate… counterfeit WPS official download website”).
- [T1204 ] User Execution – Victims are tricked to run MSI/EXE installers from attacker-controlled pages after a fake Flash prompt (“a prompt indicating an outdated Flash version appears… redirecting the page to the attacker’s designated download page”).
- [T1547 ] Boot or Logon Autostart Execution – Malware writes entries to the Run registry to maintain persistence (“javaw.exe is to write Microsoftdata.exe … into the run registry to maintain long-term residency”).
- [T1105 ] Ingress Tool Transfer – Installers drop and load additional components and DLLs (aicustact.dll loads attacker-specified files; MSI releases multiple files listed in Property table).
- [T1064 ] Scripting – An update.bat runs legitimate installer actions while concurrently launching malicious payloads (“The normal installation program was run in update.bat, and malicious payload was also run at the same time”).
- [T1055 ] Process Injection – Shellcode in Xps.dtd decrypts and loads an embedded PE and jumps to its export to execute payload in memory (“the core function of the shellcode in Xps.dtd is to load the included PE and jump to the run export function to execute”).
- [T1027 ] Obfuscated Files or Information – Actors use code obfuscation and signature forgery to evade detection (“iteration of anti-detection techniques (such as code obfuscation, signature forgery, and cloud sandbox evasion)”).
- [T1071 ] Application Layer Protocol – Malware communicates with multiple C2 servers over specified IP:port endpoints (numerous C2 IPs and ports listed in IOCs).
Indicators of Compromise
- [File Hash ] MSI/installer payload – 38bdef0bdf05adeefb1d4ba04296c757eb8cdfb9be958e4c0d544764564df177b5e0893617a6a1b5e5f3c0c85fa82eaa9 (installer/payload hash)
- [Domain ] Phishing domains – www.ggfanyi[.]com (fake translate site)
- [IP Address ] Phishing host – 192.252.181[.]55 (phishing website host)
- [IP:Port ] C2 servers – 8.218.115.90[:]8080, 154.91.66.58[:]8088 (command-and-control endpoints) and many others listed (e.g., 103.116.246.234[:]62344, 43.250.174.49[:]1989)
- [File Name ] Dropped binaries / persistence – Microsoftdata.exe (Golang payload written to Run registry), aicustact.dll (loader DLL), Xps.dtd (encoded shellcode container)