The cybersecurity landscape is constantly evolving, with threat actors constantly finding new ways to infiltrate systems and steal valuable information. Recently, McAfee Labs discovered a new information stealer that is utilizing Lua bytecode to enhance its stealth and sophistication. This variant, identified as a strain of the known malware RedLine Stealer, is particularly concerning due to its ability to leverage trusted repositories, such as GitHub, to distribute malware.
RedLine Stealer, which first emerged in March 2020, is primarily delivered through email and malvertising campaigns. It is often concealed within exploit kits and loader malware like dotRunpeX and HijackLoader. This off-the-shelf malware is designed to gather sensitive information from various sources, including cryptocurrency wallets, VPN software, and web browsers. This information can include saved credentials, autocomplete data, credit card details, and even geolocation data based on IP addresses. Over time, RedLine Stealer has been adopted by numerous threat actors, resulting in its widespread use across North America, South America, Europe, Asia, and Australia.
The recent findings by McAfee Labs shed light on the infection sequence employed by this new information stealer. The malware takes advantage of GitHub, specifically Microsoft’s official repositories, to host its malicious payload in the form of ZIP archives. It is currently unknown how these files were uploaded to the repositories, but it highlights the concerning trend of threat actors utilizing trusted sources to distribute malware. It is worth noting that the ZIP files are no longer available for download from the Microsoft repositories.
The ZIP archives, named “Cheat.Lab.2.7.2.zip” and “Cheater.Pro.1.6.0.zip,” masquerade as game cheats, indicating that gamers are likely the primary target of this campaign. These archives contain an MSI installer that executes the malicious Lua bytecode. This approach allows the malware to obfuscate its malicious strings and avoid the use of easily recognizable scripts like wscript, JScript, or PowerShell. This enhances its stealth and evasion capabilities, making it more difficult to detect and mitigate.
Once the MSI installer is executed, it displays a message urging the victim to share the program with their friends in order to unlock the full version of the software. This is an attempt to propagate the malware to other systems. Within the installer, there is an executable file called “compiler.exe” that runs the Lua bytecode embedded within the “readme.txt” file from the ZIP archive. This sets up persistence on the infected host using a scheduled task and drops a CMD file. The CMD file subsequently executes “compiler.exe” under the name “NzUw.exe.”
In the final stage of the infection, “NzUw.exe” establishes communication with a command-and-control (C2) server via HTTP. This C2 server is associated with RedLine Stealer. The malware acts as a backdoor, receiving tasks from the C2 server and exfiltrating the results back to it. These tasks can include capturing screenshots or gathering other sensitive information.
While the exact method of distributing the links to the ZIP archives is still unknown, a recent report by Checkmarx highlighted how threat actors are exploiting GitHub’s search functionality to trick users into downloading repositories infected with malware. This indicates that threat actors are becoming increasingly creative in their distribution methods and are taking advantage of trusted platforms to propagate their malicious payloads.
This discovery comes in the wake of Recorded Future’s revelation of a large-scale Russian-language cybercrime operation targeting the gaming community. This operation employs trap phishing techniques by creating imitation Web3 gaming projects with minor modifications to appear legitimate. Fake social media accounts are also set up to add credibility to these projects. Once users download the software from these projects, their devices become infected with various types of “infostealer” malware, such as Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro, depending on their operating system.
Additionally, McAfee has reported a wave of malware campaigns targeting enterprise environments. These campaigns utilize loaders like PikaBot and a new strain called NewBot Loader. The attackers behind these campaigns employ a range of techniques and infection vectors to deliver the malware, including phishing attacks that exploit email conversation hijacking and vulnerabilities like the MonikerLink flaw in Microsoft Outlook.
In conclusion, the discovery of this new information stealer leveraging Lua bytecode highlights the evolving tactics of threat actors, their ability to exploit trusted repositories, and their continuous efforts to target valuable information. It is crucial for organizations and individuals to remain vigilant, employ robust cybersecurity measures, and stay updated on the latest threats to mitigate the risk of falling victim to these malicious attacks.
Source link
