©2021 Reporters Post24. All Rights Reserved.
It’s worth noting at this stage that both Winos 4.0 and HoldingHands RAT are inspired by another RAT malware referred to as Gh0st RAT, which had its source code leaked in 2008 and has since been widely adopted by various Chinese hacking groups.
Fortinet said it identified PDF documents posing as a tax regulation draft for Taiwan that included a URL to a Japanese language web page (“twsww[.]xin/download[.]html”), from where victims are prompted to download a ZIP archive responsible for delivering HoldingHands RAT.
Further investigation has uncovered attacks targeting China that have utilized taxation-themed Microsoft Excel documents as lures, some dating back to March 2024, to distribute Winos. Recent phishing campaigns, however, have shifted their focus to Malaysia, using fake landing pages to deceive recipients into downloading HoldingHands RAT.
The starting point is an executable claiming to be an excise audit document. It’s used to sideload a malicious DLL, which functions as a shellcode loader for “sw.dat,” a payload that’s designed to run anti-virtual machine (VM) checks, enumerate active processes against a list of security products from Avast, Norton, and Kaspersky, and terminate them if found, escalate privileges, and terminate the Task Scheduler.
It also drops several other files in the system’s C:\Windows\System32 folder –
- svchost.ini, which contains the Relative Virtual Address (RVA) of VirtualAlloc function
- TimeBrokerClient.dll, the legitimate TimeBrokerClient.dll renamed as BrokerClientCallback.dll.
- msvchost.dat, which contains the encrypted shellcode
- system.dat, which contains the encrypted payload
- wkscli.dll, an unused DLL
“The Task Scheduler is a Windows service hosted by svchost.exe that allows users to control when specific operations or processes are run,” Fortinet said. “The Task Scheduler’s recovery setting is configured to restart the service one minute after it fails by default.”
“When the Task Scheduler is restarted, svchost.exe is executed and loads the malicious TimeBrokerClient.dll. This trigger mechanism does not require the direct launch of any process, making behavior-based detection more challenging.”
The primary function of “TimeBrokerClient.dll” is to allocate memory for the encrypted shellcode within “msvchost.dat” by invoking the VirtualAlloc() function using the RVA value specified in “svchost.ini.” In the next stage, “msvchost.dat” decrypts the payload stored in “system.dat” to retrieve the HoldingHands payload.
HoldingHands is equipped to connect to a remote server, send host information to it, send a heartbeat signal every 60 seconds to maintain the connection, and receive and process attacker-issued commands on the infected system. These commands allow the malware to capture sensitive information, run arbitrary commands, and download additional payloads.
A new feature addition is a new command that makes it possible to update the command-and-control (C2) address used for communications via a Windows Registry entry.
Operation Silk Lure Targets China with ValleyRAT#
The development comes as Seqrite Labs detailed an ongoing email-based phishing campaign that has leveraged C2 infrastructure hosted in the U.S., targeting Chinese companies in the fintech, cryptocurrency, and trading platform sectors to ultimately deliver Winos 4.0. The campaign has been codenamed Operation Silk Lure, owing to its China-related footprint.
“The adversaries craft highly targeted emails impersonating job seekers and send them to HR departments and technical hiring teams within Chinese firms,” researchers Dixit Panchal, Soumen Burma, and Kartik Jivani said.
“These emails often contain malicious .LNK (Windows shortcut) files embedded within seemingly legitimate résumés or portfolio documents. When executed, these .LNK files act as droppers, initiating the execution of payloads that facilitate initial compromise.”
The LNK file, when launched, runs PowerShell code to download a decoy PDF resume, while stealthily dropping three additional payloads to the “C:\Users\<user>\AppData\Roaming\Security” location and executing it. The PDF resumes are localized and tailored for Chinese targets so as to increase the likelihood of success of the social engineering attack.
The payloads dropped are as follows –
- CreateHiddenTask.vbs, which creates a scheduled task to launch “keytool.exe” every day at 8:00 a.m.
- keytool.exe, which uses DLL side-loading to load jli.dll
- jli.dll, a malicious DLL that launches the Winos 4.0 malware encrypted and embedded within keytool.exe
“The deployed malware establishes persistence within the compromised system and initiates various reconnaissance operations,” the researchers said. “These include capturing screenshots, harvesting clipboard contents, and exfiltrating critical system metadata.”
The trojan also comes with various techniques to evade detection, including attempting to uninstall detected antivirus products and terminating network connections associated with security programs such as Kingsoft Antivirus, Huorong, or 360 Total Security to interfere with their regular functions.
“This exfiltrated information significantly elevates the risk of advanced cyber espionage, identity theft, and credential compromise, thereby posing a serious threat to both organizational infrastructure and individual privacy,” the researchers added.
