New Redline Stealer Variant Leverages Lua Bytecode For Stealthiness

Redline Stealer is a powerful information-stealing malware, and hackers often exploit this stealthy stealer to gain unauthorized access to a victim’s sensitive data.

Threat actors can steal many sensitive and valuable data by exploiting the Redline Stealer.

Threat actors can use The stolen data later for financial gain or other malicious purposes.

Cybersecurity researchers at McAfee recently discovered a new variant of Redline stealer that leverages the Lua Bytecode for stealthiness.

Redline Stealer Variant

Telemetry data from McAfee demonstrates that this malware is quite widespread on different continents like North and South America, Europe, Asia, and Australia. 

The McAfee Web Advisor has blocked the malware file called “Cheat.Lab.2.7.2.zip” that is hosted in the vcpkg repository of Microsoft’s official GitHub.

Free Live Webinarfor DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors - Register Here.

The zip file has an MSI installer with modified Lua binaries and a purported text file for compilation and execution.

By hiding malicious character strings and avoiding easily recognizable scripts like wscript or PowerShell, this method makes it difficult to detect by enhancing stealth and evasion capabilities.

The presence of scheduled tasks and fallback mechanisms enables malware persistence. Hence, LolBins located in the system32 folder are exploited during execution, as the created process tree proves.

Infection Chain (Source – McAfee)

When the system starts ErrorHandler.cmd script is invoked by launching cmd.exe, which calls NzUw.exe, an IP API-checking program. 

Disk at inetCache stores JSON objects as packets sent from api-api.com to communicate with C2.

For instance, an HTTP exchange server sends task ID OTMsOTYs for operations such as taking screenshots of the screen.

Screen.bmp, a file transferred on the threat actor’s server encoded in base64, has been detected as Redline family flagged malicious by several antivirus engines.

Compiling this Lua script will also show you some encrypted values inside it along with their decryption loop and decrypted strings like “Tamper Detected.”

Initially, a new state is created before loading the luajit bytecode, which isolates Lua instances.

Also, the debug, io, math, and FFI libraries are loaded, and their byte code is read using luaL_loadfile, which moves it randomly to different offsets. 

At the start of the script it defines variables, accesses Windows API functions via FFI which creates mutexes, loads the dlls at runtime, and then retrieves system information for transmission to the C2 server.

IoCs

  • Cheat.Lab.2.7.2.zip: 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610
  • Cheat.Lab.2.7.2.zip: https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
  • lua51.dll: 873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997
  • readme.txt: 751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad
  • compiler.exe: dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a
  • Redline C2: 213[.]248[.]43[.]58
  • Trojanised Git Repo: hxxps://github.com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.