Taiwan Businesses Targeted by Winos 4.0 Malware

malicious emails, National Taxation Bureau, Ophtek, Phishing, Silver Fox, Taiwan, Win 4.0, , , , , , ,
01
Apr 2025

A recent cyberattack has targeted Taiwanese companies using phishing emails which appear to be from Taiwan’s National Taxation Bureau.

In this attack, cybercriminals sent phishing emails to businesses in Taiwan, pretending to be officials from the National Taxation Bureau. These emails contained malicious attachments designed to infect victims’ computers with malware. The threat actors’ aim was to steal sensitive information and gain unauthorized access to IT infrastructures, enabling the attackers to have easy access to secure data.

How Did the Winos Attack Unfold?

The threat actors created emails which, at a quick glance, appeared official and claimed to provide a list of companies scheduled for tax inspections. The recipients were urged to download a zip file containing this list. However, contained within this ZIP file was a dangerous DLL file named lastbld2Base.dll. Once this file was activated, it set in motion a series of malicious actions – the most prominent of which was to download the Winos 4.0 malware. Winos 4.0 allowed the threat actors to take screenshots, record keystrokes, and remotely execute commands on the infected devices.

Once installed, Winos 4.0 gave the attackers deep access to the compromised systems. This access made the malware a powerful tool for carrying out espionage, especially given that the main targets appeared to be corporate businesses. These types of targets allowed the threat actors to gain access to huge amounts of personal data, rather than targeting individuals one at a time to harvest such data.

Security researchers believe that a hacking group known as Silver Fox are the perpetrators behind the attack. Silver Fox has a history of targeting Chinese-speaking users and has previously been observed using fake software installers and malicious game optimization apps to deceive victims.

Protecting Yourself from Such Attacks

This incident is further evidence that phishing campaigns are becoming more deceptive and underlining the importance of social engineering tactics for hackers. Many people glance over their emails quickly and, if they see an official and trusted government logo, the chances are that they’ll believe it’s genuine. However, it’s important that you and your employees stay safe, so make sure you practice the following:

  • Be Careful with Email Attachments: Always double check the authenticity of and email before downloading or opening email attachments, especially if they are unexpected or urge you to perform a specific action. If an email claims, for example, to be from a government agency, visit the official website to confirm its legitimacy before opening any attachments.
  • Keep Software Updated: Regularly updating your operating system and security software is crucial for protecting your PCs against known vulnerabilities. Many cyberattacks take advantage of outdated software with numerous vulnerabilities, so keeping your system up to date should be a priority at all times.
  • Educate Employees: Ensuring that your staff can recognize phishing attempts is crucial in 2025, as is carrying out safe email practices to prevent accidental exposure to malware or malicious links. Implementing cybersecurity awareness programs should be a priority for your IT inductions. Regular refresher courses should also be to help consolidate this learning.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Malware Cluster Bombs: A New Threat

anti-malware tools, anti-virus software, Cluster Bombs, compressed cabinet files, KrakenLabs, malicious emails, malware, Ophtek, Phishing, software updates, Unfurling Hemlock, WEXTRACT.EXE, , , , , , , , , , ,
06
Aug 2024

A malware infection is always bad news but imagine being infected with multiple strains at once. Welcome to the new threat of malware cluster bombs.

Researchers at the cybersecurity firm KrakenLabs have revealed the dangers of a new malware technique launched by Unfurling Hemlock, a new threat actor group. Their malware cluster bombs have been verified as active in at least 10 countries, but most Unfurling Hemlock’s targets have been US-based. This attack has also been active for some time, with evidence of the earliest infections going back to February 2023.

The mere concept of malware cluster bombs is enough to worry any IT professional, so that’s why we’re going to delve a bit deeper and discuss how you can keep your IT systems safe.

Understanding Unfurling Hemlock’s Attack

This new attack starts, as with many malware attacks, through malicious emails or malware loaders. It would appear, perhaps to cover their own tracks, Unfurling Hemlock are paying other hackers to distribute their malware. The initial attack is focused around a malicious file named WEXTRACT.EXE. Within this executable is a collection of compressed cabinet files, each of which contains a strain of malware.

The final part of the attack comes when all of the malicious files have been extracted and are executed in reverse order. Each cluster bomb is believed to contain multiple strains of malware, so while the number is varied, the impact is always significant. Among these malware strains are a cocktail of different attacks, with botnets, backdoors, and info stealers all detected so far. Unfurling Hemlock’s ultimate aim, aside from causing digital chaos, is unknown, but KrakenLabs believe the threat actor may be harvesting sensitive data to sell.

The malware cluster bomb approach is innovative and effective for two reasons: the opportunities for monetization are increased and the multiple strains in use mean that persistence is enhanced. Ultimately, dropping ten strains of malware onto one device is more likely to provide opportunities for threat actors than a single strain.

Staying Safe from Malware Cluster Bombs

It’s clear that malware cluster bombs represent a serious threat to your IT infrastructure, and that’s why you need to keep your defenses secure. You can put this into action by following these best practices:

  • Regular Software Updates: ensure that all software, including operating systems and applications, is regularly updated and patched. Automated patch management tools can help make this easier, and Windows allows you to set automatic updates for Microsoft apps. Regular updates protect against known vulnerabilities and exploits which malicious actors often target with malicious files.
  • Antivirus and Anti-malware Solutions: always use reputable antivirus and anti-malware software across your network. These tools should be regularly updated to recognize and handle the latest threats. High-level security solutions will provide real-time protection, scanning, and removal of malicious files. This is conducted by regular scans and monitoring to ensure potential threats are detected and dealt with promptly.
  • Employee Education: carry out regular training sessions for employees to recognize phishing attempts, suspicious emails, and other potential threats. Training should include best practices for safe internet use, identifying social engineering tactics, and reporting suspicious activities. Your employees are your first line of defense, so it’s crucial you reduce the likelihood of attacks due to human error.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

SPF, DKIM, & DMARC: Understanding Email Authentication

cyber attacks, Domain keys Identified Mail (DKIM), Domain-based Message Authentication, reporting & Conformance (DMARC), email authentication, malicious emails, Ophtek, Sender Policy Framework (SPF), social engineering, Spica attack, , , , , , ,
30
Apr 2024

Authentication is crucial when it comes to tackling cybersecurity threats, and this is especially true when it comes to sending and receiving emails.

Many of today’s cybersecurity threats are delivered via email, such as the recent Spica attack. This can make people wary of emails landing in their inbox. But email represents a vital communication channel for businesses. Therefore, if you’re sending an email, you need to make sure that the recipients know it’s trustworthy.

One of the simplest ways to authenticate your emails is to use methods such as SPF, DKIM, and DMARC. You may not be familiar with these tools, but they can act as a stamp of approval that any emails you send are genuine. And it’s time to learn more about them.

Why Do You Need Email Authentication?

The threat of malware delivery over email is well known, with techniques such as social engineering and malicious links/files being prevalent in the digital landscape. Naturally, the last thing your stakeholders need is the threat of having their IT systems compromised. So, it’s important you can email safely and effectively.

The main benefit, of course, is that your stakeholders are less likely to fall victim to malware attacks. However, there are additional benefits. By implementing email authentication, you are actively building trust with your customers and partners. If you can prove your emails are genuine, the recipients are more likely to open them. Furthermore, email authentication ensures your emails are less likely to be labelled as spam, and this reduces the risk of them being redirected to junk folders.

The Principles of SPF, DKIM, & DMARC

The three main tools for authenticating emails ae SPF, DKIM, and DMARC. Combining these three protocols together delivers a strong level of authentication and ensures your emails are read rather deleted. But what are they?

  • Sender Policy Framework (SPF): this tool eliminates the likelihood of email spoofing being used to impersonate the sender’s IP address. SPF records are published and can be verified by receiving systems to confirm an email is genuine. Once an email server cross references this SPF record against your IP address, it will deliver the email if it matches.
  • Domain keys Identified Mail (DKIM): acting as a digital signature to outgoing emails, DKIM provides a further layer of email authentication. This signature comprises an encrypted key pair, one stored publicly in your domain name system (DNS) and one stored privately. With this digital signature attached to an email, a recipient’s server can authenticate the private key against the public one stored in your DNS. This minimizes the risk of spoof emails and maximizes email security.
  • Domain-based Message Authentication, Reporting & Conformance (DMARC): working alongside SPF and DKIM, DMARC acts not only as a form of email authentication but also as a reporting system. DMARC allows domain owners to dictate how recipients should handle emails which have failed SPF and DKIM checks. This is governed by policies laid out in the DMARC DNS record.

Authenticate Your Emails

SPF, DKIM, and DMARC are all vital for mitigating the risks associated with malicious emails and the resulting impact on IT infrastructures. By implementing these three protocols, you are maximizing the efficiency of your email communications and fostering trust with your key stakeholders.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More