A brand new data stealer has been discovered leveraging Lua bytecode for added stealth and class, findings from McAfee Labs reveal.
The cybersecurity agency has assessed it to be a variant of a identified malware known as RedLine Stealer owing to the truth that the command-and-control (C2) server IP deal with has been beforehand recognized as related to the malware.
RedLine Stealer, first documented in March 2020, is often delivered through e mail and malvertising campaigns, both straight or through exploit kits and loader malware like dotRunpeX and HijackLoader.
The off-the-shelf malware is able to harvesting data from cryptocurrency wallets, VPN software program, and internet browsers, reminiscent of saved credentials, autocomplete knowledge, bank card data, and geolocations based mostly on the victims’ IP addresses.
Through the years, RedLine Stealer has been co-opted by a number of risk actors into their assault chains, making it a prevalent pressure spanning North America, South America, Europe, Asia, and Australia.
The an infection sequence recognized by McAfee abuses GitHub, utilizing two of Microsoft’s official repositories for its implementation of the C++ Customary Library (STL) and vcpkg to host the malware-laden payload within the type of ZIP archives.
It is presently not identified how the information got here to be uploaded to the repository, however the method is an indication that risk actors are weaponizing the belief related to reliable repositories to distribute malware. The ZIP information are now not obtainable for obtain from the Microsoft repositories.
The ZIP archive (“Cheat.Lab.2.7.2.zip” and “Cheater.Professional.1.6.0.zip”) masquerades as a recreation cheat, indicating that avid gamers are probably the goal of the marketing campaign. It comes fitted with an MSI installer that is designed to run the malicious Lua bytecode.
“This strategy offers the benefit of obfuscating malicious stings and avoiding using simply recognizable scripts like wscript, JScript, or PowerShell script, thereby enhancing stealth and evasion capabilities for the risk actor,” researchers Mohansundaram M. and Neil Tyagi mentioned.
In an try to move the malware to different techniques, the MSI installer shows a message urging the sufferer to share this system with their pals with a purpose to get the unlocked model of the software program.
The “compiler.exe” executable inside the installer, upon operating the Lua bytecode embedded inside the “readme.txt” file current within the ZIP archive, units up persistence on the host utilizing a scheduled job and drops a CMD file, which, in flip, runs “compiler.exe” below one other title “NzUw.exe.”
Within the closing stage, “NzUw.exe” initiates communications with a command-and-control (C2) server over HTTP, the aforementioned IP deal with attributed to RedLine.
The malware features extra like a backdoor, finishing up duties fetched from the C2 server (e.g., taking screenshots) and exfiltrating the outcomes again to it.
The precise technique by which the hyperlinks to the ZIP archives are distributed is presently unknown. Earlier this month, Checkmarx revealed how risk actors are making the most of GitHub’s search performance to trick unsuspecting customers into downloading malware-laden repositories.
The event comes as Recorded Future detailed a “large-scale Russian-language cybercrime operation” that singles out the gaming neighborhood and leverages faux Web3 gaming lures to ship malware able to stealing delicate data from macOS and Home windows customers, a way known as entice phishing.
“The marketing campaign entails creating imitation Web3 gaming tasks with slight title and branding modifications to seem authentic, together with faux social media accounts to bolster their authenticity,” Insikt Group mentioned.
“The principle webpages of those tasks supply downloads that, as soon as put in, infect units with numerous varieties of “infostealer” malware reminiscent of Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro, relying on the working system.”
It additionally follows a wave of malware campaigns concentrating on enterprise environments with loaders reminiscent of PikaBot and a brand new pressure known as NewBot Loader.
“Attackers demonstrated a various vary of strategies and an infection vectors in every marketing campaign, aiming to ship the PikaBot payload,” McAfee mentioned.
This features a phishing assault that takes benefit of e mail dialog hijacking and a Microsoft Outlook flaw known as MonikerLink (CVE-2024-21413) to entice victims into downloading the malware from an SMB share.
