Behind the Great Wall: Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 C&C Framework
The malware then begins to listen for incoming commands from the C&C server. It can execute a variety of tasks, including loading additional plugins, capturing screenshots, and clearing system logs. These functions are managed and executed through controlled switch statements, ensuring precise and efficient handling of each instruction.
Table 7 lists the malware’s supported functionalities.
| Commands | Description |
| 0 | Load plugins |
| 1 | Load the plugin and update the registry |
| 2 | Terminate the connection |
| 3 | Send the active window information and capture a screenshot |
| 4 | Capture a screenshot |
| 5 | Execute file and commands |
| 6 | Download a file from the given URL and execute it |
| 7 | Modify the registry value of specific keys and, if the key doesn’t exist, create it |
| 8 | Check whether a process with the provided name exists on the system by enumerating the list of running processes |
| 9 | N/A |
| 10 | Capture a screenshot |
| 11 | Clear system logs: Application, security, and system |
| 12 | Restart the process |
| 13 | Terminate the process |
| 14 | Logout from the system |
| 15 | Restart the system |
| 16 | Shutdown the system |
| 17 | Change the default plugin loading method |
| 18 | Update configuration settings |
| 19 | Create a new C&C thread and perform system information collection |
| 100 | Set the value of IpDatespecial registry |
| 101 | Remove the value of IpDatespecial registry |
Table 7. A list of the malware’s supported functionalities
Conclusion
In the scope of our research, we conducted an analysis of a Void Arachne campaign that targets the Chinese-speaking demographic. Using SEO poisoning and widely used messaging applications such as Telegram, the Void Arachne threat group has potentially reached a substantial Chinese-speaking demographic as well as the broader East Asian community through the dissemination of malicious MSI files.
As is the case with Void Arachne’s campaign, threat actors abused the great public interest in AI technologies to deliver malware. Our investigation revealed that Void Arachne promoted compromised MSI files embedded with nudifiers and deepfake pornography-generating software, intending to infect unsuspecting users. Furthermore, the group advertised corrupted AI voice and facial technologies, frequently exploited in virtual kidnapping schemes. The proliferation of these artificial technologies has prompted concerns regarding potential misuse, particularly evident in sextortion and virtual kidnapping schemes that can lead to heartbreaking consequences. In its commitment to safeguarding the general public’s online well-being, Trend Micro has curated comprehensive resources designed to educate the community on identifying, preventing, and addressing sextortion attacks. In the event of falling victim to sextortion or virtual kidnapping, the prompt reporting of the incident to relevant authorities, such as the Internet Crime Complaint Center (IC3), is strongly recommended.
Throughout 2024, we have seen an increase in malicious MSI files, such as in a DarkGate campaign that exploited the Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability (CVE-2024-21412). Individuals are strongly advised to check the source of MSI files and only download them from trusted sources. As previously discussed, MSI files are bundled installers, which mean that malicious software as well as zero-day exploits can be bundled alongside legitimate software. These malicious MSI files pose a significant threat to organizations as they may act as a backdoored installer and poison the software installer supply chain.
Organizations can protect themselves from these kinds of attacks with Trend Vision One, which enables security teams to continuously identify attack surfaces, including known, unknown, managed, and unmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including vulnerabilities. It considers critical factors, such as the likelihood and impact of potential attacks, and offers a range of prevention, detection, and response capabilities. This is all backed by advanced threat research, threat intelligence, and AI, which helps reduce the time taken to detect, respond, and remediate issues. Ultimately, Trend Vision One can help improve the overall security posture and effectiveness of an organization, including defending an organization against zero-day attacks.
When faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is already compromised or breached and work to immediately isolate affected data or toolchains. With a broader perspective and rapid response, organizations can address breaches and protect their remaining systems, especially with technologies such as Trend Micro™ Endpoint Security™ and Trend Micro Network Security, as well as comprehensive security solutions such as Trend Micro™ XDR, which can detect, scan, and block malicious content across the modern threat landscape.
The complete list of indicators of compromise (IoCs) can be found here.
Read More HERE
