Windows gamers are currently being targeted by a malware framework disguised as game installation and optimization tools. It’s called Winos4.0, first discovered by researchers at Fortinet, a popular cybersecurity firm.
How Does Winos4.0 Work?
Fortinet’s Fortiguard Labs blog post first detailed the method of attack and the malware’s capabilities. Winos4.0 is distributed when an unsuspecting Windows user installs a tainted gaming-related application. These apps often resemble installation tools, speed boosters, and gaming optimization tools. Gamers looking to improve online performance will use these tools to gain an extra edge.
Once the malicious app is installed, however, Winos4.0 downloads a .bmp file. This file extracts a Windows dynamic link library that infects the system using shell-code injection.
Fortinet says that “Winos4.0 is a powerful framework . . . that can support multiple functions and easily control compromised systems. The entire attack chain involves multiple encrypted data and lots of C2 communication to complete the injection. Users should be aware of any new application’s source and only download [gaming] software from qualified sources.”
What makes Winos4.0 particularly scary is that it communicates with outside servers and can allow remote attacks. It can also gather system info, monitor your clipboard, capture your screen, and check for crypto-wallet activity. According to Bleeping Computer, Winos4.0 detects common malware and antivirus software from Kaspersky, Avast, Bitdefender, Malwarebytes, and McAfee.
Educational Organizations May Be at Risk
Based on file descriptions in the malware’s code, Fortiguard Labs has stated that the malware may ultimately be trying to manipulate systems in the education sector. This indication is evidenced by a file description titled “Campus Administration.” Fortiguard Labs has performed a detailed analysis of the malware’s code as part of the original blog post.
Should You Be Worried?
Windows gamers who have recently downloaded speed-boosting or other gaming optimization applications from potentially sketchy sources may be unsuspectingly harboring Winos4.0. Since modern malware is stealthier than older malware types, it’s particularly difficult to detect. Fortunately, the Fortinet blog details the Indicators of Compromise (IOCs) so you know what to look for.
However, if you’ve been infected, a step-by-step removal method has yet to be circulated. Unsurprisingly, though, Fortinet’s antivirus software has implemented protection from Winos 4.0 for its users.
