A new information thief has been discovered that leverages Lua bytecode for greater stealth and sophistication, McAfee Labs findings reveal.
The cybersecurity firm assessed it to be a variant of the well-known malware called RedLine Stealer as the IP address of the command and control (C2) server was previously identified as being associated with the malware.
RedLine Stealer, first documented in March 2020, is typically distributed via email and malvertising campaigns, either directly or via exploit kits and loader malware such as dotRunpeX and HijackLoader.
Standard malware is capable of collecting information from cryptocurrency wallets, VPN software, and web browsers, such as saved credentials, autocomplete data, credit card information, and geolocations based on victims’ IP addresses.
Over the years, RedLine Stealer has been co-opted by several threat actors into their attack chains, making it a prevalent strain in North America, South America, Europe, Asia, and Australia.
The infection sequence identified by McAfee abuses GitHub, using two of Microsoft’s official repositories for its implementation of the C++ Standard Library (STL) and vcpkg to host the malware-laden payload in the form of ZIP archives.
It is currently unknown how the files were uploaded to the repository, but the technique is a sign that threat actors are leveraging the trust associated with trusted repositories as a weapon to distribute malware. ZIP files are no longer available for download from Microsoft repositories.
The ZIP archive (“Cheat.Lab.2.7.2.zip” and “Cheater.Pro.1.6.0.zip”) masquerades as game cheats, indicating that players are likely the target of the campaign. It comes with an MSI installer designed to execute malicious Lua bytecode.
“This approach offers the advantage of obfuscating malicious reports and avoiding the use of easily recognizable scripts such as wscript, JScript or PowerShell, thus improving stealth and evasion capabilities for the threat actor,” said researchers Mohansundaram M. and Neil Tyagi.
In an attempt to transmit the malware to other systems, the MSI installer displays a message inviting the victim to share the program with their friends to get the unlocked version of the software.
The “compiler.exe” executable within the installer, after executing the Lua bytecode embedded in the “readme.txt” file present in the ZIP archive, sets persistence on the host using a scheduled task and releases a CMD file, which, in turn, runs “compiler.exe” with another name “NzUw.exe”.
In the final stage, “NzUw.exe” initiates communication with a command and control (C2) server over HTTP, the aforementioned IP address attributed to RedLine.
The malware works more like a backdoor, executing tasks retrieved from the C2 server (for example, taking screenshots) and transferring the results there.
The exact method by which links to ZIP archives are distributed is currently unknown. Earlier this month, Checkmarx revealed how threat actors are exploiting GitHub’s search functionality to trick unsuspecting users into downloading malware-laden repositories.
The development comes as Recorded Future details a “large-scale Russian-language cybercrime operation” targeting the gaming community and exploiting fake Web3 gaming lures to deliver malware capable of stealing sensitive information from macOS and Windows users, a technique called trap phishing.
“The campaign involves the creation of imitations of Web3 game projects with slight changes to the name and branding to appear legitimate, along with fake social media accounts to reinforce their authenticity,” Insikt Group said.
“The main web pages of these projects offer downloads that, when installed, infect devices with various types of “infostealer” malware such as Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro, depending on the operating system.”
It also follows a wave of malware campaigns targeting enterprise environments with loaders like PikaBot and a new strain called NewBot Loader.
“The attackers demonstrated a wide range of techniques and infection vectors in each campaign, with the goal of delivering the PikaBot payload,” McAfee said.
This includes a phishing attack that exploits the hijacking of email conversations and a Microsoft Outlook flaw called MonikerLink (CVE-2024-21413) to trick victims into downloading malware from an SMB share.