.webp)
[[{“value”:”
Redline Stealer is a powerful information-stealing malware, and hackers often exploit this stealthy stealer to gain unauthorized access to a victim’s sensitive data.
Threat actors can steal many sensitive and valuable data by exploiting the Redline Stealer.
Threat actors can use The stolen data later for financial gain or other malicious purposes.
Cybersecurity researchers at McAfee recently discovered a new variant of Redline stealer that leverages the Lua Bytecode for stealthiness.
Redline Stealer Variant
Telemetry data from McAfee demonstrates that this malware is quite widespread on different continents like North and South America, Europe, Asia, and Australia.
The McAfee Web Advisor has blocked the malware file called “Cheat.Lab.2.7.2.zip” that is hosted in the vcpkg repository of Microsoft’s official GitHub.
Free Live Webinarfor DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors – Register Here.
The zip file has an MSI installer with modified Lua binaries and a purported text file for compilation and execution.
By hiding malicious character strings and avoiding easily recognizable scripts like wscript or PowerShell, this method makes it difficult to detect by enhancing stealth and evasion capabilities.
The presence of scheduled tasks and fallback mechanisms enables malware persistence. Hence, LolBins located in the system32 folder are exploited during execution, as the created process tree proves.
When the system starts ErrorHandler.cmd script is invoked by launching cmd.exe, which calls NzUw.exe, an IP API-checking program.
Disk at inetCache stores JSON objects as packets sent from api-api.com to communicate with C2.
For instance, an HTTP exchange server sends task ID OTMsOTYs for operations such as taking screenshots of the screen.
Screen.bmp, a file transferred on the threat actor’s server encoded in base64, has been detected as Redline family flagged malicious by several antivirus engines.
Compiling this Lua script will also show you some encrypted values inside it along with their decryption loop and decrypted strings like “Tamper Detected.”
Initially, a new state is created before loading the luajit bytecode, which isolates Lua instances.
Also, the debug, io, math, and FFI libraries are loaded, and their byte code is read using luaL_loadfile, which moves it randomly to different offsets.
At the start of the script it defines variables, accesses Windows API functions via FFI which creates mutexes, loads the dlls at runtime, and then retrieves system information for transmission to the C2 server.
IoCs
Cheat.Lab.2.7.2.zip: 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610
Cheat.Lab.2.7.2.zip: https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
lua51.dll: 873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997
readme.txt: 751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad
compiler.exe: dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a
Redline C2: 213[.]248[.]43[.]58
Trojanised Git Repo: hxxps://github.com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.
The post New Redline Stealer Variant Leverages Lua Bytecode For Stealthiness appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
