A new threat actor group, dubbed “Void Arachne,” is targeting Chinese-speaking users with malicious VPN installers. This cybercriminal group uses compromised Windows Installer (MSI) files to deliver a command-and-control (C&C) framework called Winos 4.0.
Void Arachne’s campaign involves distributing fake VPN installers, including popular software like Google Chrome, LetsVPN, QuickVPN, and a Telegram language pack for Simplified Chinese. These installers are advertised through search engine optimization (SEO) poisoning tactics and shared on social media and messaging platforms.
Trend Micro researchers discovered that these attacks began in early April 2024. The malicious installers are shared as ZIP archives through links created using blackhat SEO techniques. For Telegram users, the installers are directly hosted on the messaging platform.
Malicious Installers and Payloads
The installers modify firewall rules to allow malware traffic when connected to public networks. They also drop a loader that decrypts and executes a second-stage payload. This payload then runs a Visual Basic Script (VBS) to set up persistence on the host system, triggers an unknown batch script, and delivers the Winos 4.0 C&C framework.
Capabilities of Winos 4.0
Winos 4.0 is a powerful implant written in C++, capable of:
- File management
- Distributed denial of service (DDoS) attacks using TCP/UDP/ICMP/HTTP
- Disk search
- Webcam control
- Screenshot capture
- Microphone recording
- Keylogging
- Remote shell access
It uses a plugin-based system with 23 dedicated components for both 32-bit and 64-bit systems. This allows the malware to perform various functions and even be expanded with additional plugins as needed by the attackers.
The core component of Winos 4.0 also detects security software common in China, manages the loading of plugins, clears system logs, and downloads and executes additional payloads from a specified URL.
The Impact
The use of a fake Chinese language pack significantly increases the attack surface. Other software used in this campaign includes tools for creating non-consensual deepfake pornographic videos, which can be used in sextortion scams, and AI technologies for virtual kidnapping and voice-altering and face-swapping.
Increased Risk in China
Internet connectivity in China is heavily regulated by the Great Firewall, leading to a high demand for VPN services that can bypass these restrictions. This increased interest in VPNs has made them a prime target for cybercriminals like Void Arachne.
In summary, Void Arachne’s sophisticated tactics and tools represent a significant threat to Chinese users, particularly those seeking to evade internet censorship using VPN services. Users are advised to download software only from trusted sources and remain vigilant about potential threats.
Found this news interesting? Follow us on Twitter and Telegram to read more exclusive content we post.
