Redline Malware Using Lua Bytecode to Challenge the SOC/TI Team to Detect

The first instance of Redline using such a method is in a new variant of Redline Stealer malware that McAfee has discovered uses Lua bytecode to obfuscate its malicious code. 

The malware was discovered on a legitimate Microsoft repository (vcpkg) disguised within a zip file named “Cheat.Lab.2.7.2.zip,”  containing an MSI installer that deployed two executables (“compiler.exe” and “lua51.dll”) along with a text file (“readme.txt”) containing the Lua bytecode. 

Attackers are making malware harder to detect by using Lua bytecode, a less common language that some security tools may struggle to analyze, which hides malicious strings within the bytecode, hindering traditional detection methods.

GitHub’s popularity as a code-sharing platform is being exploited for malware distribution. The platform’s commercial security measures make it difficult to identify malicious files, and users’ trust in GitHub can lead to them unknowingly downloading malware. 

The trend of leveraging Lua bytecode and GitHub for distribution suggests we are likely to see more such attacks in the future. 

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

• Real-time Detection
• Interactive Malware Analysis
• Easy to Learn by New Security Team members
• Get detailed reports with maximum data
• Set Up Virtual Machine in Linux & all Windows OS Versions
• Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Try ANY.RUN for FREE

The new Redline version installs via an MSI and creates a scheduled task to run a Lua bytecode compiler; it also copies itself to a hidden folder and sets up a persistence mechanism via a script in C:\Windows\Setup\Scripts. 

Redline communicates with its C2 server over HTTP and steals victim information, including the IP address, username, and machine ID, while the Lua bytecode is obfuscated and uses a complex decryption loop, making analysis difficult. 

To further evade detection, Redline leverages Lua’s FFI to call Windows API functions directly, bypassing the standard monitored channels. 

ANY.RUN analysis of Cheat.Lab.2.7.2.msi reveals a malicious installation process, which deploys compiler.exe, which loads lua51.dll and utilizes readme.txt (a disguised binary) as input. compiler.exe then retrieves IP addresses from pastebin.com and attempts to connect to them. 

The communication involves sending an HTTP PUT request containing “/loader/screen/” to the server while identifying as “Winter” in the user agent. 

While the complete execution chain couldn’t be fully observed due to an inactive C2 server, this analysis highlights the malware’s use of steganography (readme.txt) and external resource retrieval (pastebin.com) for potential code updates or C2 server communication. 

Redline Stealer, a prevalent malware, was identified as the 5th most encountered malware family in

highlights the wide reach of this threat, as confirmed by McAfee’s data across various continents. 

This malware steals private data and hides itself as downloads that users want, like cheats or productivity apps. To stay safe, users can use sandboxes to check suspicious files for malicious behaviour using YARA, Suricata, or signature-based detection methods.

Start Using ANY.RUN Today

The ANY.RUN sandbox simplifies phishing and malware analysis, providing conclusive results in under 40 seconds. 

You can check out how ANY.RUN’s features, including the private team space, all Windows VMs, and advanced analysis environment settings, can improve your work.

Start ANY.RUN sandbox for your team with free registration!