Keypoints
- Winos4.0 is a Gh0strat-derived, multi-module framework that provides persistent backdoor capabilities on Microsoft Windows.
- Attackers distributed the malware inside game-related installers and optimization tools to lure victims, with apparent targeting of educational institutions.
- The infection chain decodes a fake BMP to extract you.dll, which downloads and unpacks additional components including libcef.dll and shellcode.
- Persistence is established via registry Run key or a scheduled task; payloads are injected and executed through DLL loading and shellcode.
- The malware reaches out to a C2 server (202[.]79[.]173[.]4) to download modules, send environment data, and receive commands.
- Final-stage modules collect system info, clipboard contents, check for AV/monitoring tools and specific Chrome crypto extensions, and can upload documents and screenshots.
MITRE Techniques
- [T1071] Application Layer Protocol – Used for both initial distribution and C2 traffic; (‘Initial access is achieved by distributing game-related applications designed for optimization or installation.’) and (‘The malware retrieves the C2 address 202[.]79[.]173[.]4 and port 80’).
- [T1203] Exploitation for Client Execution / DLL Injection – Loads and executes malicious DLLs and injects shellcode to run in-process; (‘it injects the extracted shellcode, preparing it to execute actions within the compromised environment.’)
- [T1547] Boot or Logon Autostart Execution – Achieves persistence by modifying registry Run key to auto-start u72kOdQ.exe under ‘WINDOWS’; (‘adds the executable “u72kOdQ.exe” to the registry key “SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN” under the name “WINDOWS.”‘)
- [T1005] Data from Local System – Collects host details and clipboard data for reconnaissance; (‘Collects system information: It gathers host information, including the IP address, computer name, operating system, CPU, disk, network card, directory name, and time.’)
- [T1041] Exfiltration Over C2 Channel – Sends encoded environment and collected data back to the C2 and uploads documents/screenshots on command; (‘Sends a login message: It encodes environment information data with the XOR key and sends it to the C2 server.’)
Indicators of Compromise
- [URL] Hosting and delivery – hxxp://ad59t82g[.]com/1/lon2[.]bmp, hxxp://ad59t82g[.]com/1/h[.]bmp (XOR-encoded BMPs used to deliver DLLs).
- [IP/Hostname] C2 infrastructure – ad59t82g[.]com, 202[.]79[.]173[.]4 (command-and-control server and download host).
- [SHA256 hash] Payload hashes – c9817d415d34ea3ae07094dae818ffe8e3fb1d5bcb13eb0e65fd361b7859eda7 (NetDiagnotor.exe), 37104f3b3646f5ffc8c78778ec5fdc924ebb5e5756cb162c0e409d24bedf406d (online module) and several other hashes.
- [File names] Malicious components – you.dll, libcef.dll, u72kOdQ.exe (stages used to unpack, inject shellcode, and run modules).
Winos4.0 uses a layered infection chain: victims run seemingly benign game-related installers that fetch XOR-encoded BMP files from ad59t82g[.]com. Those BMPs unpack DLLs (you.dll → libcef.dll) and supporting executables into a randomly named folder under Program Files, where the malware unpacks, decodes, and prepares shellcode and modules for execution.
The loader establishes persistence either by adding u72kOdQ.exe to the Run registry key or creating a scheduled task, then injects shellcode that resolves APIs and retrieves configuration markers (e.g., “codecode”). The implant contacts a hardcoded C2 (202[.]79[.]173[.]4) over TCP to check in, download encrypted modules, and execute further stages—eventually deploying modules that harvest system and clipboard data, check for AV/monitoring tools, capture screenshots, and exfiltrate documents on command.
Fortinet reports that FortiGuard Antivirus and related services detect and block the known samples and C2 URLs, and FortiGuard Web Filtering/IP Reputation services can block the malicious infrastructure. Organizations should avoid installing software from untrusted sources, validate game installers, and keep endpoint protections updated to prevent similar multi-stage threats.