Full Report
A new campaign is targeting companies in Taiwan with malware known as Winos 4.0 as part of phishing emails masquerading as the country's National Taxation Bureau. The campaign, detected last month by Fortinet FortiGuard Labs, marks a departure from previous attack chains that have leveraged malicious game-related applications. "The sender claimed that the malicious file attached was a list of
Analysis Summary
# Threat Actor: Silver Fox (Void Arachne)
## Attribution & Identity
The intrusion set distributing the Winos 4.0 malware is assigned the monikers **Void Arachne** and **Silver Fox**. This actor/toolset leverages or overlaps with the **Winos 4.0** Remote Access Trojan (RAT), which itself appears to be a variation of **Gh0st RAT**, an open-sourced malware originating from China (2008). Winos was commonly used in 2023 and 2024, while the related **ValleyRAT** is currently more commonly used, indicating an evolving toolset derived from the same source.
## Activity Summary
Recent activities include:
1. A campaign targeting companies in **Taiwan** using phishing emails impersonating the National Taxation Bureau.
2. Previous campaigns utilized malicious game-related applications.
3. A current campaign linked to Silver Fox APT is leveraging trojanized versions of **Philips DICOM viewers** to deploy ValleyRAT, followed by keyloggers and cryptocurrency miners.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing emails impersonating official government entities (e.g., National Taxation Bureau, Ministry of Finance).
- **Execution:** Attachment disguises official documents, containing a malicious DLL ("lastbld2Base.dll") that executes shellcode downloaders.
- **Defense Evasion:** Use of a vulnerable version of the **TrueSight driver** to disable antivirus software.
- **Persistence/Lateral Movement:** Use of an **MSI installer package** that executes the **CleverSoar installer**.
- **Post-Exploitation Components:** Deployment of malware families and specific modules including Winos 4.0, ValleyRAT, keyloggers, and cryptocurrency miners.
- **Environment Check:** The CleverSoar installer checks user language settings; it terminates if the language is not set to **Chinese or Vietnamese**.
Further TTPs observed via Winos 4.0:
- Taking screenshots.
- Keystroke logging.
- Altering clipboard content.
- Monitoring connected USB devices.
- Running sensitive actions (e.g., cmd.exe) when security prompts (Kingsoft Security, Huorong) are displayed.
- Downloading an online module (via CleverSoar) capable of capturing screenshots of WeChat and online banks.
## Targeting
- Sectors: Healthcare (linked via DICOM viewer lures), Finance/Enterprise (Taxation Bureau lures).
- Geography: Primarily targets victims whose language settings are **Chinese or Vietnamese**. Recent activity focused on **Taiwan**.
- Victims: Enterprises scheduled for tax inspection; organizations using Philips DICOM viewers (healthcare sector).
## Tools & Infrastructure
- **Malware families used:** Winos 4.0, ValleyRAT, CleverSoar installer, Nidhogg rootkit (dropped alongside Winos 4.0 via CleverSoar).
- **Infrastructure (C2/Delivery):** Remote server observed delivering Winos 4.0 module: hxxp://206.238.221[.]60.
- **Delivery Methods:** Phishing attachments (ZIP containing DLL), trojanized software (gaming applications, Philips DICOM viewers), drive-by download schemes.
## Implications
Silver Fox/Void Arachne is an established threat actor group utilizing highly customized and evolving malware tooling derived from the Gh0st RAT source code. Their current shift to targeting specific vulnerabilities in widely used software (DICOM viewers) alongside sophisticated social engineering (tax impersonation) indicates a focused and resourceful approach. The inclusion of defense evasion techniques (disabling AV via driver exploitation) and anti-analysis checks (language verification) suggests a high level of operational security aimed at remaining undetected within their primary target regions.
## Mitigations
- Implement strict email filtering and train employees to verify requests originating from government agencies, especially those demanding the review of sensitive attachment lists (e.g., tax inspection).
- Monitor for and block network connections to known C2 infrastructure (e.g., 206.238.221[.]60).
- Investigate and patch/update systems utilizing vulnerable drivers such as the **TrueSight driver** variants often exploited for AV/EDR disabling.
- Deploy endpoint solutions capable of detecting suspicious module loading triggered by DLL side-loading (implied by the "lastbld2Base.dll" execution chain).
- Implement robust application allow-listing policies, particularly concerning MSI installers behaving suspiciously or executing secondary payloads like CleverSoar.
- Review security tools (Kingsoft Security and Huorong) configurations for unexpected execution attempts or security prompt bypasses.