Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework

June 19, 2024, 12:10 p.m.

Description

Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake pornography-generating software, and AI voice and facial technologies. It uses SEO poisoning, social media, and messaging platforms for malware distribution. The malware installs a Winos backdoor during installation, leading to potential system compromise. Void Arachne exploits heightened public interest in software circumventing China's Great Firewall and online censorship.

Date

Published: June 19, 2024, 11:37 a.m.

Created: June 19, 2024, 11:37 a.m.

Modified: June 19, 2024, 12:10 p.m.

Indicators

fbc23b84b2c83e99ab1c5cb7075bd5d26b55dde4afc06eddc0471c6d6b2cc5f2

fae4f96beda54a1ed4914537b0542182d3a020dd9db9d9995df37d303b88e6df

ecf5394d78392b11daec1016c6b447f9da7eae69f7702ecf8c4d1d3f69e3fe64

d2e15264c786917a6cb194bf0cf586a69b8678c6d4d4c87cc14082d7b76fe0b2

c61c8ded2a9481c2e50b4872c8f7bcd8ecc33997a6004e62aa06b60742f54e57

b71e6c4ff7c910dd666f442e98597f90bd2eb3fce4c8889af0ecc694f282bf64

bc01cf528086de6a1b231dee01c1624cf58911b171904bf7a6b08ddfba661d83

b396bfd7bec043cf402e04fa810983c93c79d1a632fd4558098e68eb144abb17

976837663b25f793470f24925198b06e79a72ede014a84ba62311fadede5062f

b022e0f0b2ae9e27847cfc909bfcdbc89a732fcdde6e473443aaab2592a84910

827ed4f36ea7032395bfa35da54c6e9d06d6633aa7396792e8511adf366c1fcc

7ed8c7ea5e2feeadb1966f53c48ab3a580f53a4d20725031d764db7e962607a9

7a3841a5315c01df299d8844b62dc150b1c3e5b5ebe7547c1a211349879659af

78f86c3581ae893e17873e857aff0f0a82dcaed192ad82cd40ad269372366590

768881a43d2ffd9701bf2e241a1d59d8a0c116cf20e27a632a8b087bb81de409

77c77e728b98a923bb057943d0b5765b79106c0378d72814cb3db69749abaebb

6f923b94a614e61cbde73c5b09036b9482f3770c02161ecb0875dbb56bc65843

6f5574d00ffce206525835f72ac083692a183e69114f1551b7ecb99dec3d1d19

6ece1e12d50ade02bf424007a9b70b4a14580244a9a1f5cd32c0a129ec069d6e

6ce947e21128687ed37f247e297f29609251deed934b7b5722d27f4a1f72a90e

65ac9f036b1d8a02e4c9041eeafc230562088e57f2535bd194e8bf592e62cb06

61d73a8920c41483d0832c9a5c5bc9f57ac5f71146a98faefc0cb4d988e77bab

61981a0324586ad83e6cb7015df91a6e4887537ad36a4674be82cb3cfcf5b18b

616c7270a21ecc9ccd880e04563343e9ac53cce88a77244388dbb1fc7bfa4360

5f7e00017b16db29fa7cba60993d7af909ef41d3fe9d3f7ca9f693c1f7ef6d37

5abc2006c7a3a27e033075ba881a668aba5e70797677ed2220f7ab9fb36fc927

5759fc938f228579fc5e64e74cee083581a975d4054deb715c0f371b66b96263

5684fc4f33c168519b2fdcae59cc3be2e6db1f0b0f3718524ef57e0e7423f59d

49120dfcef430df1c90c9c370b92b969c876b9b4327d81eae720cd71fcd75b87

538382dc7a7839f125ffe08a854512b78fc4a657697227e53f832ae566ca2505

47dfa891fc347187ba4ac161980a7e7c47cf656ddbf7b269a74c32a5a1365d4e

4791c23aff8a09061b76a05bb88ee37149995584a87aade236ea4eebab79ed1c

436499efe94c7a1bfefaa84c52f8187bffb3d4d1a49de1cbc8885e7807d11b42

409e09ac0fcf7d39044ef0b3eb798aea6dc0650e5214056760694c1340fc8488

3ac0afec0ce29b69d57c54663c6e4fa6fee703696069cb5b8f00783b5504cf80

2d1904dfc5a555b8bfdd4fa2db46d532e19479fd99affb169449ff2a2a4b459a

2962bb303b949e4a0826c723ee4aee2df8cb0806653a8ca6daaa67fd06f37e6f

2066dd040fe020ca32e5ebfeeb4fa75094d3ac43155c83fe222f380d4940df42

202c378deb628a8104a1dd957bbd70b945beea8e11d55b9ce3e4787fbe496797

186bf42bf48dc74ef12e369ca533422ce30a85791b6732016de079192f4aac5f

16d3c176ca94c84b60e26981231bf59ebe75057ac10dd6f583ce65a3bed11dd0

03669424bdf8241a7ef7f8982cc3d0cf56280a5804f042961f3c6a111252ffd3

11a96c107b8d4254722a35ab9a4d25974819de1ce8aa212e12cae39354929d5f

023822a8ad26f2d7330a2afa310ccf943058f2765b7cbc6975c51c144739b55f

103.214.147.14

Attack Patterns

Winos

Void Arachne

T1608

T1566.002

CVE-2024-21412

Additional Informations

China