Threat Research

Winos 4 0 Behind Operation Holding Hands

Securonix
Winos 4 0 Behind Operation Holding Hands
EXTRACT IOC
The Operation Holding Hands campaign employs a stolen digital certificate to distribute a backdoor malware named “給与制度改定のお知らせ.exe” targeting Japanese users, utilizing multi-stage payload delivery and runtime decryption to evade detection. The malware’s complex behaviors include privilege escalation, in-memory execution, and connections to China-linked APT group Silver Fox via Winos 4.0 framework. #HoldingHands #Winos4.0 #SilverFox

Keypoints

  • The malware “給与制度改定のお知らせ.exe” is signed with a stolen certificate from Sid Narayanan Ltd to appear legitimate.
  • The executable acts as a backdoor, indicated by embedded PDB path and suspicious imported functions like ShellExecute and WriteFile.
  • It checks for administrative privileges and uses a multi-byte transformation to obfuscate payload data stored in a.zip before launching Run.exe.
  • The payload is decrypted and executed directly in memory using VirtualAlloc, avoiding traditional static detection methods.
  • Uses COM-based unzipping, dynamic API resolution, and fallback techniques such as ShellExecuteExA with “runas” verb to escalate privileges.
  • The malware maintains communication with a hardcoded C2 server via heartbeat packets, and shows links to the memory-resident Winos 4.0 backdoor used by the China-linked APT group “Silver Fox.”
  • The campaign targets Japanese users but shows indicators of broader activity including Taiwan, with regional language checks and multiple digital certificates observed.

MITRE Techniques

  • [T1548] Abuse Elevation Control Mechanism – The malware uses ShellExecuteExA with the “runas” verb to relaunch itself with elevated privileges to bypass User Account Control.
  • [T1059] Command and Scripting Interpreter – Dynamically resolves and executes Windows API functions such as CreateProcessW and VirtualAlloc via GetProcAddress to run malicious code.
  • [T1106] Execution through API – Executes decrypted payload in memory using Windows API VirtualAlloc and CreateDirectoryA to create fake directories for persistence.
  • [T1553] Subvert Trust Controls – Uses stolen digital certificates from Sid Narayanan Ltd to sign malware and evade detection.
  • [T1574] Hijack Execution Flow – Loads dummy DLL names (e.g., kernel32.dll) from directories to mask malicious payload execution by pretending to load legitimate system DLLs.
  • [T1036] Masquerading – The malware’s filename “給与制度改定のお知らせ.exe” mimics legitimate business communications to deceive users.
  • [T1071] Application Layer Protocol – Maintains C2 communication by sending heartbeat packets to a hardcoded IP address.

Indicators of Compromise

  • [File Name] Phishing distributed backdoor – 給与制度改定のお知らせ.exe, 244.exe
  • [File Hash] Malware samples – 78dc343fe6f5d3140c9624c889148ec0, 0b6318af44ad2e434d7cfce95e8eeba2357c226355478a6cfdfbe464d9e5e467
  • [Domain] Phishing website – hxxps[:]//jppjp[.]vip/index[.]html
  • [IP Address] C2 servers – 154[.]205[.]139[.]223, 38[.]54[.]107[.]103, 38[.]54[.]50[.]212, 206[.]238[.]221[.]244, 107[.]149[.]253[.]183

Read more: https://somedieyoungzz.github.io/posts/silver-fox/

Views: 55

Tags: APT, BACKDOOR, CHINA, HUNTING, PERSISTENCE, PHISHING, PRIVILEGE, TOOL