Attack Chain | Image: FortiGuard Labs
FortiGuard Labs has reported a new wave of cyberattacks targeting companies in Taiwan, utilizing the Winos 4.0 malware framework. This sophisticated malware is being spread through phishing emails impersonating Taiwan’s National Taxation Bureau. The emails falsely claim to contain a list of enterprises scheduled for tax inspection, prompting recipients to download a malicious attachment.
This campaign, observed in January 2025, marks a shift in Winos 4.0’s distribution tactics. Previous reports from November 2024 indicated that the malware was primarily spread through gaming-related applications. The current campaign employs social engineering techniques to deceive users into downloading and executing malicious files disguised as official documents.
The phishing emails, purporting to be from the National Taxation Bureau, instruct recipients to forward the attached “list of enterprises” to their company’s treasurer. The attachment is a ZIP file containing a series of malicious files that initiate the infection chain.
Once executed, the malware establishes persistence, disables security features, and downloads additional modules from its command-and-control server. It also employs anti-sandbox techniques to evade detection and analysis.
“For the anti-sandbox function, it takes two screenshots within a two-second interval. If there are more than 20,000 different pixels in the second screenshot, which means a user is active on the computer, it performs its remaining tasks,” the report states.
Winos 4.0 is a highly modular malware framework capable of performing various malicious activities, including:
- Keylogging
- Clipboard hijacking
- USB device monitoring
- Screenshot capture
- UAC bypass
- Anti-virus evasion
Organizations and individuals are urged to exercise caution when handling emails, especially those containing attachments or links. It is crucial to verify the sender’s identity and scrutinize email content before interacting with any attachments or links.
FortiGuard Labs’ report provides detailed technical analysis of the Winos 4.0 malware and its attack chain. This information can help organizations and security professionals better understand the threat and take appropriate measures to protect their systems and data.
