Customers looking for recreation cheats are being tricked into downloading a Lua-based malware that’s able to establishing persistence on contaminated methods and delivering further payloads.
“These attacks capitalize on the popularity of Lua gaming engine supplements within the student gamer community,” Morphisec researcher Shmuel Uzan stated in a brand new report printed at the moment, including “this malware strain is highly prevalent across North America, South America, Europe, Asia, and even Australia.”
Particulars in regards to the marketing campaign have been first documented by OALabs in March 2024, during which customers have been lured into downloading a malware loader written in Lua by exploiting a quirk in GitHub to stage malicious payloads.
McAfee Labs, in a subsequent evaluation, detailed menace actors’ use of the identical method to ship a variant of the RedLine info stealer by internet hosting the malware-bearing ZIP archives inside reliable Microsoft repositories.
“We disabled user accounts and content in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” GitHub instructed The Hacker Information on the time.
“We continue to invest in improving the security of GitHub and our users, and are looking into measures to better protect against this activity.”
Morphisec’s evaluation of the exercise has uncovered a shift within the malware supply mechanism, a simplification that is seemingly an effort to fly underneath the radar.
“The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily,” Uzan stated.
That stated, the general an infection chain stays unchanged in that customers looking standard dishonest script engines like Solara and Electron on Google are served pretend web sites that embed hyperlinks to booby-trapped ZIP archives on varied GitHub repositories.
The ZIP archive comes with 4 elements: A Lua compiler, a Lua runtime interpreter DLL (“lua51.dll”), an obfuscated Lua script, and a batch file (“launcher.bat”), the final of which is used to execute the Lua script utilizing the Lua compiler.
Within the subsequent stage, the loader – i.e., the malicious Lua script – establishes communications with a command-and-control (C2) server and sends particulars in regards to the contaminated system. The server, in response, points duties which might be both accountable for sustaining persistence or hiding processes, or downloading new payloads equivalent to Redone Stealer or CypherIT Loader.
“Infostealers are gaining prominence in the landscape as the harvested credentials from these attacks are sold to more sophisticated groups to be used in later stages of the attack,” Uzan stated. “RedLine notably has a huge market in Dark web selling these harvested credentials.”
The disclosure comes days after Kaspersky reported that customers on the lookout for pirated variations of standard software program on Yandex are being focused as a part of a marketing campaign designed to distribute an open-source cryptocurrency miner named SilentCryptoMiner by way of an AutoIt compiled binary implant.
A majority of the assaults focused customers in Russia, adopted by Belarus, India, Uzbekistan, Kazakhstan, Germany, Algeria, the Czech Republic, Mozambique, and Turkey.
“Malware was also distributed through Telegram channels targeted at crypto investors and in descriptions and comments on YouTube videos about cryptocurrency, cheats, and gambling,” the corporate stated in a report final week.
“Even though the main goal of the attackers is to make profit by stealthily mining cryptocurrency, some variants of the malware can perform additional malicious activity, such as replacing cryptocurrency wallets in the clipboard and taking screenshots.”
