The first instance of Redline using such a method is in a new variant of Redline Stealer malware that McAfee has discovered uses Lua bytecode to obfuscate its malicious code.
The malware was discovered on a legitimate Microsoft repository (vcpkg) disguised within a zip file named “Cheat.Lab.2.7.2.zip,” containing an MSI installer that deployed two executables (“compiler.exe” and “lua51.dll”) along with a text file (“readme.txt”) containing the Lua bytecode.
Attackers are making malware harder to detect by using Lua bytecode, a less common language that some security tools may struggle to analyze, which hides malicious strings within the bytecode, hindering traditional detection methods.
GitHub’s popularity as a code-sharing platform is being exploited for malware distribution. The platform’s commercial security measures make it difficult to identify malicious files, and users’ trust in GitHub can lead to them unknowingly downloading malware.
The trend of leveraging Lua bytecode and GitHub for distribution suggests we are likely to see more such attacks in the future.
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
If you want to test all these features now with completely free access to the sandbox:
Redline communicates with its C2 server over HTTP and steals victim information, including the IP address, username, and machine ID, while the Lua bytecode is obfuscated and uses a complex decryption loop, making analysis difficult.
To further evade detection, Redline leverages Lua’s FFI to call Windows API functions directly, bypassing the standard monitored channels.
ANY.RUN analysis of Cheat.Lab.2.7.2.msi reveals a malicious installation process, which deploys compiler.exe, which loads lua51.dll and utilizes readme.txt (a disguised binary) as input. compiler.exe then retrieves IP addresses from pastebin.com and attempts to connect to them.
The communication involves sending an HTTP PUT request containing “/loader/screen/” to the server while identifying as “Winter” in the user agent.
While the complete execution chain couldn’t be fully observed due to an inactive C2 server, this analysis highlights the malware’s use of steganography (readme.txt) and external resource retrieval (pastebin.com) for potential code updates or C2 server communication.
Redline Stealer, a prevalent malware, was identified as the 5th most encountered malware family in
highlights the wide reach of this threat, as confirmed by McAfee’s data across various continents.
This malware steals private data and hides itself as downloads that users want, like cheats or productivity apps. To stay safe, users can use sandboxes to check suspicious files for malicious behaviour using YARA, Suricata, or signature-based detection methods.
The ANY.RUN sandbox simplifies phishing and malware analysis, providing conclusive results in under 40 seconds.
You can check out how ANY.RUN’s features, including the private team space, all Windows VMs, and advanced analysis environment settings, can improve your work.
As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role. Key takeaways include:Pricing modelsCost EstimationROI Calculation
GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.