19 June 2024

Void Arachne targets Chinese-speaking users with Winos backdoor


Void Arachne targets Chinese-speaking users with Winos backdoor

Researchers at Trend Micro have uncovered a new cyber threat group they dubbed “Void Arachne,” which is targeting Chinese-speaking users with malicious Windows Installer (MSI) files, which contain legitimate software installers for AI and other popular software.

The group is leveraging compromised MSI files embedded with various applications, including nudifiers and deepfake pornography-generating software, as well as AI-based voice and facial technologies. The campaign uses SEO poisoning and disseminates malware via social media and messaging platforms.

Given the strict government controls in China, there is heightened public interest in VPN services to evade the Great Firewall and bypass online censorship. Void Arachne exploits this interest by distributing malicious MSI files that include legitimate software installers for AI tools, Chinese language packs, Google Chrome, and Chinese-marketed VPNs like LetsVPN and QuickVPN. These MSIs also install a backdoor, Winos 4.0, during the installation process.

Void Arachne uses multiple distribution vectors, such as SEO poisoning and the Telegram channels distributing malicious content.

The threat actors set up a web infrastructure to deploy spear-phishing links disguised as legitimate software installers. These links are optimized to rank high in search engine results, leading unsuspecting users to download the malicious files.

The campaign also utilizes Chinese-language-themed Telegram channels to distribute malicious MSI files and ZIP archives. These channels, some with tens of thousands of users, promote fake software tools and AI applications, including nonconsensual deepfake pornography and face-swapping software.

The malicious MSI files appear as genuine software installers to the victim but secretly install additional malware. During the installation process, the MSI files drop a loader that decrypts and executes a second-stage payload in memory. This payload launches a Visual Basic Script (VBS) to establish persistence and trigger further malicious activities. The malware installs a Winos backdoor during the installation process, which could lead to a full system compromise.

Written in C++, the backdoor facilitates various malicious actions, such as file management, distributed denial of service (DDoS) attacks, webcam control, screenshot capture, microphone recording, keylogging, and remote shell access.


Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024