Malicious actors have harnessed fake QQ Browser and LetsVPN installers to enable the spread of the Winos 4.0 malware, also known as ValleyRAT, as part of an attack campaign aimed at Chinese-speaking users first discovered in February, reports The Hacker News.
Initial intrusions commenced with the deployment of a QQ Browser-spoofing NSIS installler that leveraged the multi-stage Catena loader to launch Winos 4.0, which allowed data compromise, remote shell access, and distributed denial-of-service attacks, while ensuring persistence through subsequent scheduled tasks execution, an analysis from Rapid7 revealed. Threat actors then overhauled the attack sequence last month to involve a LetsVPN-impersonating NSIS installer that executes a PowerShell command ensuring an even stealthier deployment of Winos 4.0. Such a campaign "leans heavily on memory-resident payloads, reflective DLL loading, and decoy software signed with legit certificates to avoid raising alarms," according to researchers, who have also noted the intrusions to have been underpinned by similar infrastructure and targeting used by the Silver Fox advanced persistent threat operation.
Initial intrusions commenced with the deployment of a QQ Browser-spoofing NSIS installler that leveraged the multi-stage Catena loader to launch Winos 4.0, which allowed data compromise, remote shell access, and distributed denial-of-service attacks, while ensuring persistence through subsequent scheduled tasks execution, an analysis from Rapid7 revealed. Threat actors then overhauled the attack sequence last month to involve a LetsVPN-impersonating NSIS installer that executes a PowerShell command ensuring an even stealthier deployment of Winos 4.0. Such a campaign "leans heavily on memory-resident payloads, reflective DLL loading, and decoy software signed with legit certificates to avoid raising alarms," according to researchers, who have also noted the intrusions to have been underpinned by similar infrastructure and targeting used by the Silver Fox advanced persistent threat operation.
