The researcher has uncovered a new information stealer that employs Lua bytecode to enhance its stealth and sophistication, as revealed in their recent findings. This malware variant, identified by the cybersecurity firm as a version of the known RedLine Stealer, stands out for its use of Lua bytecode, which provides advantages in obfuscating malicious strings and evading detection by security systems.
RedLine Stealer, initially documented in March 2020, is typically distributed via email and malvertising campaigns, often through exploit kits and loader malware like dotRunpeX and HijackLoader. This off-the-shelf malware is designed to harvest sensitive information from cryptocurrency wallets, VPN software, and web browsers, including saved credentials, autocomplete data, credit card information, and geolocations based on victims’ IP addresses.
One notable aspect of this new campaign is its use of GitHub, leveraging two of Microsoft’s official repositories to host the malware-laden payload in the form of ZIP archives. The ZIP files, disguised as game cheats, are no longer available for download from these repositories. This distribution method indicates a trend where threat actors exploit the trust associated with reputable repositories to distribute malware.
Upon execution, the malware installer sets up persistence on the host using a scheduled task and drops a CMD file, which runs another executable under a different name. This executable then establishes communications with a command-and-control (C2) server over HTTP, allowing the malware to act as a backdoor, executing tasks fetched from the C2 server and exfiltrating results back to it.
While the exact method of distributing the links to the ZIP archives is unknown, recent reports have highlighted how threat actors are leveraging GitHub’s search functionality to trick users into downloading malware-laden repositories. This development underscores the evolving tactics of cybercriminals and the importance of maintaining vigilance against such threats.
This discovery also comes amidst a wave of malware campaigns targeting enterprise environments with loaders like PikaBot and a new strain called NewBot Loader. These campaigns demonstrate attackers’ diverse range of techniques and infection vectors, highlighting the need for organizations to stay informed and adopt robust cybersecurity measures to protect against evolving threats.
To protect against information stealers like the one exploiting Lua bytecode, ensure your systems have up-to-date antivirus software and endpoint protection. Be cautious of unexpected email attachments or links, especially those from unknown or suspicious senders. Additionally, conduct regular security audits and monitor network traffic for any suspicious activity.