A brand new data stealer has been discovered leveraging Lua bytecode for added stealth and class, findings from McAfee Labs reveal.
The cybersecurity agency has assessed it to be a variant of a recognized malware referred to as RedLine Stealer owing to the truth that the command-and-control (C2) server IP deal with has been beforehand recognized as related to the malware.
RedLine Stealer, first documented in March 2020, is usually delivered by way of e mail and malvertising campaigns, both instantly or by way of exploit kits and loader malware like dotRunpeX and HijackLoader.
The off-the-shelf malware is able to harvesting data from cryptocurrency wallets, VPN software program, and internet browsers, equivalent to saved credentials, autocomplete knowledge, bank card data, and geolocations based mostly on the victims’ IP addresses.
Through the years, RedLine Stealer has been co-opted by a number of risk actors into their assault chains, making it a prevalent pressure spanning North America, South America, Europe, Asia, and Australia.
The an infection sequence recognized by McAfee abuses GitHub, utilizing two of Microsoft’s official repositories for its implementation of the C++ Commonplace Library (STL) and vcpkg to host the malware-laden payload within the type of ZIP archives.
It is at the moment not recognized how the recordsdata got here to be uploaded to the repository, however the method is an indication that risk actors are weaponizing the belief related to reliable repositories to distribute malware. The ZIP recordsdata are not obtainable for obtain from the Microsoft repositories.
The ZIP archive (“Cheat.Lab.2.7.2.zip” and “Cheater.Pro.1.6.0.zip”) masquerades as a sport cheat, indicating that avid gamers are probably the goal of the marketing campaign. It comes fitted with an MSI installer that is designed to run the malicious Lua bytecode.
“This approach provides the advantage of obfuscating malicious stings and avoiding the use of easily recognizable scripts like wscript, JScript, or PowerShell script, thereby enhancing stealth and evasion capabilities for the threat actor,” researchers Mohansundaram M. and Neil Tyagi mentioned.
In an try and go the malware to different programs, the MSI installer shows a message urging the sufferer to share this system with their mates with the intention to get the unlocked model of the software program.
The “compiler.exe” executable inside the installer, upon operating the Lua bytecode embedded inside the “readme.txt” file current within the ZIP archive, units up persistence on the host utilizing a scheduled activity and drops a CMD file, which, in flip, runs “compiler.exe” beneath one other identify “NzUw.exe.”
Within the ultimate stage, “NzUw.exe” initiates communications with a command-and-control (C2) server over HTTP, the aforementioned IP deal with attributed to RedLine.
The malware capabilities extra like a backdoor, finishing up duties fetched from the C2 server (e.g., taking screenshots) and exfiltrating the outcomes again to it.
The precise technique by which the hyperlinks to the ZIP archives are distributed is presently unknown. Earlier this month, Checkmarx revealed how risk actors are making the most of GitHub’s search performance to trick unsuspecting customers into downloading malware-laden repositories.
The event comes as Recorded Future detailed a “large-scale Russian-language cybercrime operation” that singles out the gaming neighborhood and leverages pretend Web3 gaming lures to ship malware able to stealing delicate data from macOS and Home windows customers, a method referred to as entice phishing.
“The campaign involves creating imitation Web3 gaming projects with slight name and branding modifications to appear legitimate, along with fake social media accounts to bolster their authenticity,” Insikt Group mentioned.
“The main webpages of these projects offer downloads that, once installed, infect devices with various types of “infostealer” malware such as Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro, depending on the operating system.”
It additionally follows a wave of malware campaigns focusing on enterprise environments with loaders equivalent to PikaBot and a brand new pressure referred to as NewBot Loader.
“Attackers demonstrated a diverse range of techniques and infection vectors in each campaign, aiming to deliver the PikaBot payload,” McAfee mentioned.
This features a phishing assault that takes benefit of e mail dialog hijacking and a Microsoft Outlook flaw referred to as MonikerLink (CVE-2024-21413) to entice victims into downloading the malware from an SMB share.
