New information thieves have been found to be leveraging Lua bytecode for stealth and sophistication, McAfee Labs research reveals.
The cybersecurity company believes this is a variant of a known malware called RedLine Stealer, due to the fact that a command-and-control (C2) server's IP address was previously identified as being associated with the malware. I rated it.
First documented in March 2020, RedLine Stealer is typically delivered directly via email and malvertising campaigns, or via exploit kits and loader malware such as dotRunpeX and HijackLoader.
This off-the-shelf malware can collect information such as saved credentials, autocomplete data, credit card information, and location information based on the victim's IP address from cryptocurrency wallets, VPN software, and web browsers. .
Over the years, RedLine Stealer has been incorporated into attack chains by multiple threat actors and is prevalent across North and South America, Europe, Asia, and Australia.
The infection sequence identified by McAfee exploits GitHub and uses Microsoft's two official repositories for the C++ Standard Library (STL) implementation and vcpkg to host the payload containing the malware in the form of a ZIP archive.
Although it is currently unknown how the files were uploaded to the repository, this technique indicates that threat actors are weaponizing the trust associated with trusted repositories to distribute malware. ZIP files are no longer available for download from Microsoft repositories.
The ZIP archives ('Cheat.Lab.2.7.2.zip' and 'Cheater.Pro.1.6.0.zip') are disguised as game cheats and indicate that gamers are likely targets of the campaign. I am. It comes with an MSI installer designed to execute malicious Lua bytecode.
Researchers Mohansundaram M. and Neil Tyagi said, “This approach has the advantage of obfuscating malicious attacks and avoiding the use of easily recognizable scripts such as wscript, JScript, and PowerShell scripts; “This enhances threat actors' stealth and evasion capabilities.”
When attempting to pass the malware onto other systems, the MSI installer prompts the victim to share the program with a friend in order to obtain an unlocked version of the software.
The executable “compiler.exe” in the installer runs the Lua bytecode embedded in the “readme.txt” file located in the ZIP archive, which then configures persistence on the host using a scheduled task. and drop the CMD file. Then run “compiler.exe” with a different name: “NzUw.exe”.
In the final stage, 'NzUw.exe' initiates communication via HTTP with a command and control (C2) server. This IP address can be attributed to RedLine.
The malware acts like a backdoor, performing tasks retrieved from the C2 server (such as taking screenshots) and exfiltrating the results back to the server.
The exact method by which links to ZIP archives are distributed is currently unknown. Earlier this month, Checkmarx revealed how threat actors are using GitHub's search functionality to trick unsuspecting users into downloading repositories containing malware.
This development is the latest development in which Recorded Future identifies gaming communities and utilizes fake Web3 gaming lures to distribute malware (a technique known as trap-phishing) that can steal sensitive information from macOS and Windows users. The incident took place amid details of a Russian-language cybercrime operation.
“This campaign involves the creation of copycat Web3 game projects with slightly changed names and branding to appear authentic, as well as the creation of fake social media accounts to enhance their authenticity,” Insikt Group said.
“The main webpages of these projects offer downloads that, when installed, will drop various types of “infostealer” malware on your device, including Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, and RisePro, depending on your operating system. Infect. ”
It also follows a wave of malware campaigns targeting enterprise environments using new loaders called PikaBot and NewBot Loader.
“The attackers demonstrated different techniques and infection vectors in each campaign to deliver PikaBot payloads,” McAfee said.
These include phishing attacks that leverage email conversation hijacking and leverage a flaw in Microsoft Outlook called MonikerLink (CVE-2024-21413) to trick victims into downloading malware from SMB shares. Masu.
