Windows gamers are currently being targeted by a malware framework disguised as a game installation and optimization tool. It is called WinOS 4.0, which was first discovered by researchers at Fortinet, a popular cybersecurity firm.
How does WinOS 4.0 work
Fortinet’s FortiGuard Labs blog post first detailed the attack method and the malware’s capabilities. WinOS 4.0 is distributed when an unsuspecting Windows user installs a corrupted gaming-related application. These apps often look like installation tools, speed boosters, and gaming optimization tools. Gamers looking to improve online performance will use these tools to gain an extra edge.
However, once the malicious app is installed, WinOS 4.0 downloads a .bmp file. This file extracts a Windows Dynamic Link Library that infects the system using shell-code injection.
Fortinet says that “WinOS 4.0 is a powerful framework . . . that can support multiple tasks and easily take control of compromised systems. The whole attack chain involves multiple encrypted data and lots of C2 communication to complete the injection. Users should be aware of the source of any new application and only download [gaming] software from qualified sources.”
What makes Winos4.0 particularly scary is that it communicates with external servers and could allow remote attacks. It can also collect system information, monitor your clipboard, capture your screen and check crypto-wallet activity. According to Bleeping Computer, Winos4.0 evades detection of common malware and antivirus software from Kaspersky, Avast, Bitdefender, Malwarebytes and McAfee.
Educational organizations could be at risk
Based on file descriptions in the malware’s code, Fortiguard Labs has said that the malware could eventually try to manipulate systems in the education sector. This indication is evident from the file description named “Campus Administration”. Fortiguard Labs has provided a detailed analysis of the malware’s code as part of the original blog post.
Should you be worried
Windows gamers who have recently downloaded speed-boosting or other gaming optimization applications from potentially suspicious sources could be inadvertently exposing themselves to the virus. Winos4.0 may be harboring a virus. Since modern malware is stealthier than older malware types, it’s particularly difficult to detect. Fortunately, the Fortinet blog details indicators of compromise (IOCs) so you know what to look for.
However, if you’ve been infected, a step-by-step removal method hasn’t been disseminated yet. Not surprisingly, however, Fortinet’s antivirus software has implemented protection against Winos 4.0 for its users.