New Threat Actor Group “Void Arachne” Targets Chinese Users with Malicious VPN Installers

New Threat Actor Group "Void Arachne" Targets Chinese Users | CyberPro Magazine

(Source – YouTube)

A new threat activity cluster, codenamed Void Arachne, has been discovered targeting Chinese-speaking users with malicious Windows Installer (MSI) files for virtual private networks (VPNs). Security researchers from Trend Micro, Peter Girnus, Aliakbar Zahravi, and Ahmed Mohamed Ibrahim, unveiled in a recent report that these MSI files distribute a command-and-control (C&C) framework known as Winos 4.0.

Sophisticated Campaign Tactics

The campaign, first identified in early April 2024, involves promoting compromised MSI files embedded with harmful software through SEO poisoning tactics, social media, and messaging platforms. These tactics are used to distribute malware by advertising popular software such as Google Chrome, LetsVPN, QuickVPN, and a Telegram language pack for Simplified Chinese. Alternate attack methods involve backdoored installers propagated via Chinese-language-themed Telegram channels.

Links generated through black hat SEO tactics direct users to infrastructure set up by the adversary, where installers are available as ZIP archives. For Telegram channel attacks, the MSI installers and ZIP archives are hosted directly on the platform. Interestingly, the use of a malicious Chinese language pack poses a significant attack surface. The software promoted includes tools that can generate non-consensual deepfake pornographic videos for sextortion scams, AI technologies for virtual kidnapping, and voice-altering and face-swapping tools.

The installers modify firewall rules to allow traffic associated with the malware, even when connected to public networks. They also drop a loader that decrypts and executes a second-stage payload in memory. This launches a Visual Basic Script (VBS) to establish persistence on the host, execute an unknown batch script, and deliver the Winos 4.0 C&C framework through a stager that communicates with a remote server.

Advanced Capabilities of Winos 4.0

Winos 4.0, written in C++, is a robust tool equipped to perform various malicious activities. These include file management, distributed denial of service (DDoS) attacks using TCP/UDP/ICMP/HTTP, disk searches, webcam control, screenshot capture, microphone recording, keylogging, and remote shell access. The backdoor uses a plugin-based system to achieve these functions through 23 dedicated components, available in both 32- and 64-bit variants. Threat actors can enhance their capabilities with additional plugins as needed.

The core component of Winos 4.0 can detect security software common in China, acting as the main orchestrator for loading plugins, clearing system logs, and downloading and executing additional payloads from specified URLs. This sophistication underscores the threat posed by Void Arachne, as it leverages the heightened interest in VPNs and other software to bypass the Great Firewall of China.

The Great Firewall of China, Explained

Implications and Government Regulation

The People’s Republic of China maintains strict regulation over internet connectivity through legislative measures and technological controls known as the Great Firewall of China. This has increased public interest in VPN services and technologies capable of evading online censorship, which in turn has attracted the attention of threat actors like Void Arachne.

Trend Micro’s researchers emphasize the significant impact of such sophisticated threats, noting the enhanced interest of cybercriminals in exploiting public demand for privacy and freedom from government surveillance. The intricacy and capabilities of Winos 4.0, combined with the deceptive distribution methods, highlight the importance of vigilance and robust cybersecurity measures for users in China and beyond.