Sunday, November 3, 2024
Homecyber securityRedline Malware Using Lua Bytecode to Challenge the SOC/TI Team to Detect

Redline Malware Using Lua Bytecode to Challenge the SOC/TI Team to Detect

Published on

Malware protection

The first instance of Redline using such a method is in a new variant of Redline Stealer malware that McAfee has discovered uses Lua bytecode to obfuscate its malicious code. 

The malware was discovered on a legitimate Microsoft repository (vcpkg) disguised within a zip file named “Cheat.Lab.2.7.2.zip,”  containing an MSI installer that deployed two executables (“compiler.exe” and “lua51.dll”) along with a text file (“readme.txt”) containing the Lua bytecode. 

Attackers are making malware harder to detect by using Lua bytecode, a less common language that some security tools may struggle to analyze, which hides malicious strings within the bytecode, hindering traditional detection methods.

- Advertisement - SIEM as a Service

GitHub’s popularity as a code-sharing platform is being exploited for malware distribution. The platform’s commercial security measures make it difficult to identify malicious files, and users’ trust in GitHub can lead to them unknowingly downloading malware. 

The trend of leveraging Lua bytecode and GitHub for distribution suggests we are likely to see more such attacks in the future. 

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

The new Redline version installs via an MSI and creates a scheduled task to run a Lua bytecode compiler; it also copies itself to a hidden folder and sets up a persistence mechanism via a script in C:\Windows\Setup\Scripts. 

Redline communicates with its C2 server over HTTP and steals victim information, including the IP address, username, and machine ID, while the Lua bytecode is obfuscated and uses a complex decryption loop, making analysis difficult. 

To further evade detection, Redline leverages Lua’s FFI to call Windows API functions directly, bypassing the standard monitored channels. 

Static analysis of the CheatLab.2.7.2.msi in ANY.RUN

ANY.RUN analysis of Cheat.Lab.2.7.2.msi reveals a malicious installation process, which deploys compiler.exe, which loads lua51.dll and utilizes readme.txt (a disguised binary) as input. compiler.exe then retrieves IP addresses from pastebin.com and attempts to connect to them. 

Easily analyze details of HTTP requests in ANY.RUN’s network tab

The communication involves sending an HTTP PUT request containing “/loader/screen/” to the server while identifying as “Winter” in the user agent. 

While the complete execution chain couldn’t be fully observed due to an inactive C2 server, this analysis highlights the malware’s use of steganography (readme.txt) and external resource retrieval (pastebin.com) for potential code updates or C2 server communication. 

Redline Stealer, a prevalent malware, was identified as the 5th most encountered malware family in

highlights the wide reach of this threat, as confirmed by McAfee’s data across various continents. 

This malware steals private data and hides itself as downloads that users want, like cheats or productivity apps. To stay safe, users can use sandboxes to check suspicious files for malicious behaviour using YARA, Suricata, or signature-based detection methods.

Start Using ANY.RUN Today

The ANY.RUN sandbox simplifies phishing and malware analysis, providing conclusive results in under 40 seconds. 

You can check out how ANY.RUN’s features, including the private team space, all Windows VMs, and advanced analysis environment settings, can improve your work.

Start ANY.RUN sandbox for your team with free registration!

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...