Void Arachne exploits Chinese users with malicious VPN MSI files

June 24, 2024
Void Arachne VPN MSI VPN Software Cybercrime

Chinese-speaking consumers are the focus of a recently discovered threat actor group called Void Arachne, which targets them with malicious Windows Installer (MSI) packages that look like VPN software. Security experts have discovered that this campaign leverages these installers to spread the sophisticated Winos 4.0 command-and-control (C&C) framework.

One of Void Arachne’s tactics is to use AI speech and facial technology along with software that creates deepfake pornography embedded in compromised MSI files. They use social media and chat platforms, along with search engine optimisation (SEO) and poisoning techniques, to spread their infection. Covertly posing as widely used applications such as Google Chrome, LetsVPN, QuickVPN, and a Telegram language pack for Chinese users, the malware spreads via backdoored installers, especially on Telegram channels with a Chinese theme.

 

Void Arachne hosts infected ZIP packages, posing risks due to the wide attack surface.

 

The infected files are often in ZIP packages, and the attackers have put up specialised infrastructure to host them. The installers and archives for Telegram-based assaults are hosted directly on the platform, which presents a big risk because of the wide attack surface.

Through the manipulation of firewall rules, these malicious installers enable malware to propagate over open networks freely. A Visual Basic Script (VBS) that guarantees persistence and initiates an unidentified batch script is launched when a loader decrypts and runs a second-stage payload in memory after it has been installed. After establishing contact with a remote server, this procedure finally provides the Winos 4.0 C&C architecture.

C++-written Winos 4.0 is an adaptable implant with remote shell access, file management, disk searches, distributed denial of service (DDoS) assaults, camera control, snapshot capture, microphone recording, and keylogging capabilities. Using 23 specific components for 32- and 64-bit systems, it has a plugin-based design that can be improved using third-party plugins. It also covers how to remove system logs, download and run several payloads from a given URL, and identify security software that is frequently used in China.

The researchers point out that the Great Firewall’s strict regulations have significantly raised public interest in VPN services in China. Threat actors seeking to take advantage of tools that can get beyond internet filtering have drawn attention as a result of this increased interest.

This pattern is best illustrated by Void Arachne’s campaign, which takes advantage of customers’ need for VPNs to disseminate their sophisticated malware and infiltrate networks.

About the author

Leave a Reply