A newly identified threat actor, codenamed Void Arachne, has emerged, targeting Chinese-speaking users with malicious VPN installer files. This insidious campaign leverages Windows Installer (MSI) files to deploy a command-and-control (C&C) framework named Winos 4.0.
“The operation also involves compromised MSI files embedded with nudifiers and deepfake pornography-generating software, as well as AI voice and facial technologies,” revealed Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Ahmed Mohamed Ibrahim in a detailed report released today.
This campaign utilizes Search Engine Optimization (SEO) poisoning tactics alongside social media and messaging platforms to disseminate malware.
Discovered by Trend Micro in early April 2024, this threat actor group lures victims by advertising popular software such as Google Chrome, LetsVPN, QuickVPN, and a Telegram language pack for Simplified Chinese. In addition, alternate attack vectors use backdoored installers distributed through Chinese-themed Telegram channels.
Links from black hat SEO strategies lead to dedicated infrastructures established by the adversaries, staging the installers in ZIP archives. For attacks targeting Telegram channels, both MSI installers and ZIP archives are hosted directly on the messaging platform.
The use of a malicious Chinese language pack significantly increases the attack surface. Other software claims to offer capabilities to generate non-consensual deepfake pornographic videos for sextortion scams, virtual kidnapping via AI technologies, and voice-altering and face-swapping tools.
These installers are engineered to modify firewall rules to allow-list malware-related traffic on public networks.
They also drop a loader that decrypts and executes a second-stage payload in memory, launching a Visual Basic Script (VBS) to establish persistence on the host. This script triggers an unknown batch script and delivers the Winos 4.0 C&C framework through a stager that establishes communications with a remote server.
Written in C++, Winos 4.0 is capable of file management, distributed denial of service (DDoS) attacks via TCP/UDP/ICMP/HTTP, disk search, webcam control, screenshot capture, microphone recording, keylogging, and remote shell access.
The backdoor’s complexity is underscored by its plugin-based system, which supports 23 dedicated components for both 32- and 64-bit variants. These can be further augmented with external plugins integrated by the threat actors as needed.
The core component of Winos also includes methods to detect the presence of security software commonly used in China. It acts as the main orchestrator, responsible for loading plugins, clearing system logs, and downloading and executing additional payloads from specified URLs.
“Internet connectivity in the People’s Republic of China is tightly regulated through a combination of legislative measures and technological controls, collectively known as the Great Firewall of China,” the researchers highlighted.
“Due to strict government control, VPN services and public interest in this technology have surged. Consequently, threat actors are increasingly targeting software that can circumvent the Great Firewall and online censorship.”
