Date: 11/07/2024
Severity: Medium
Summary
A threat campaign is distributing the Winos4.0 malware through a popular game application. The malware, once installed, compromises the user's system by exploiting vulnerabilities and gaining unauthorized access. This campaign specifically targets gamers, embedding the malware within game-related files or software updates to avoid detection. The malware can lead to data theft, system instability, or further malicious activity.
Indicators of Compromise (IOC) List
URL/Domains | ad59t82g.com http://ad59t82g.com/1/d.bmp http://ad59t82g.com/1/t2.bmp http://ad59t82g.com/1/h.bmp http://ad59t82g.com/1/text.bmp http://ad59t82g.com/1/lon2.bmp |
IP Address | 202.79.173.4 |
Hash |
80b1d6411e29e51e54f20f46856d31b28e087e9244693e65d022b680c4ba00ce
284cf31ebb4e7dc827374934ad0726f72e7aaef49cadc6aa59d2a2ff672d3fe8
c9817d415d34ea3ae07094dae818ffe8e3fb1d5bcb13eb0e65fd361b7859eda7
b763d77b7aaa83d6c4a9e749cd3c7638127e755d3dc843b15b6c4afce1f468b5
3fae0495fd0acc7722c2482c0ef3c6ab9ee41acbcaac46a8933c7b36b8896378
f41236ab5ceffc5379fcf444de358cbc6f67beb31d0e0fd3f7ed0f501eb740ff
033965f3063bc2a45e5bd3a57ffce098b9308668d70b9b3063f066df5f3e55dd
1a48347f5fc7c63cc03f30810f961133bd3912caf16ac403e11bc3491117181d
b2a3aaf4eb4deb85462e1ee39c84caf2830091c1bff8014ad13147897b25e24c
bef32532923903b12f04b54dd06ec81661f706c3b1397bc77c45492db3919248
922512203c7b9fa67e8db2f588ff4945f63e20c4bc0aafccdba749a442808ace
dcdbc3b246233befa25b67909a01b835f1875f4047875ef13f1b801cd2da6fcd
8748bb7512f16f8122779171686abe0fa0060f1126298290e240457dc90d0aa7
1354796b44239eef177431584848029161c232401a9580481dbfb5196465250e
04edb6585118d09205ee693a54249ed68ebbf68b3fc3d711d2aa0c815b7b3a23
51c7f320b95a64bcff050da86c7884bb4f89a5d00073d747f0da7345c8a4501f
ff0c28c81cd0afd78f78c79863c9f4c8afd9d3877a213dfc2dbb55360b7d93ab
a27dc6e5aea0c3168117cfde2adb01f73f20881fc6485b768915216c46115064
8f0079a41a262536f502b4b57473effd6ab7955bc2d6e99e0910df18e990a9f6
37104f3b3646f5ffc8c78778ec5fdc924ebb5e5756cb162c0e409d24bedf406d
a30b68ed39c1517d10b747c2fcd7a72cb12dc8f434203243e7c50df0e56d17d0 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "ad59t82g.com" or url like "ad59t82g.com" or userdomainname like "http://ad59t82g.com/1/d.bmp" or url like "http://ad59t82g.com/1/d.bmp" or userdomainname like "http://ad59t82g.com/1/t2.bmp" or url like "http://ad59t82g.com/1/t2.bmp" or userdomainname like "http://ad59t82g.com/1/h.bmp" or url like "http://ad59t82g.com/1/h.bmp" or userdomainname like "http://ad59t82g.com/1/text.bmp" or url like "http://ad59t82g.com/1/text.bmp" or userdomainname like "http://ad59t82g.com/1/lon2.bmp" or url like "http://ad59t82g.com/1/lon2.bmp" |
Detection Query 2 | dstipaddress IN ("202.79.173.4") or ipaddress IN ("202.79.173.4") or publicipaddress IN ("202.79.173.4") or srcipaddress IN ("202.79.173.4") |
Detection Query 3 |
sha256hash IN ("80b1d6411e29e51e54f20f46856d31b28e087e9244693e65d022b680c4ba00ce","284cf31ebb4e7dc827374934ad0726f72e7aaef49cadc6aa59d2a2ff672d3fe8","c9817d415d34ea3ae07094dae818ffe8e3fb1d5bcb13eb0e65fd361b7859eda7","b763d77b7aaa83d6c4a9e749cd3c7638127e755d3dc843b15b6c4afce1f468b5","3fae0495fd0acc7722c2482c0ef3c6ab9ee41acbcaac46a8933c7b36b8896378","f41236ab5ceffc5379fcf444de358cbc6f67beb31d0e0fd3f7ed0f501eb740ff","033965f3063bc2a45e5bd3a57ffce098b9308668d70b9b3063f066df5f3e55dd","1a48347f5fc7c63cc03f30810f961133bd3912caf16ac403e11bc3491117181d","b2a3aaf4eb4deb85462e1ee39c84caf2830091c1bff8014ad13147897b25e24c","bef32532923903b12f04b54dd06ec81661f706c3b1397bc77c45492db3919248","922512203c7b9fa67e8db2f588ff4945f63e20c4bc0aafccdba749a442808ace","dcdbc3b246233befa25b67909a01b835f1875f4047875ef13f1b801cd2da6fcd","8748bb7512f16f8122779171686abe0fa0060f1126298290e240457dc90d0aa7","1354796b44239eef177431584848029161c232401a9580481dbfb5196465250e","04edb6585118d09205ee693a54249ed68ebbf68b3fc3d711d2aa0c815b7b3a23","51c7f320b95a64bcff050da86c7884bb4f89a5d00073d747f0da7345c8a4501f","ff0c28c81cd0afd78f78c79863c9f4c8afd9d3877a213dfc2dbb55360b7d93ab","a27dc6e5aea0c3168117cfde2adb01f73f20881fc6485b768915216c46115064","8f0079a41a262536f502b4b57473effd6ab7955bc2d6e99e0910df18e990a9f6","37104f3b3646f5ffc8c78778ec5fdc924ebb5e5756cb162c0e409d24bedf406d","a30b68ed39c1517d10b747c2fcd7a72cb12dc8f434203243e7c50df0e56d17d0") |
Reference:
https://www.fortinet.com/blog/threat-research/threat-campaign-spreads-winos4-through-game-application