Malware! Redline Stealer

A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform malicious behavior. McAfee telemetry data shows this malware strain is very prevalent, covering North America, South America, Europe, and Asia and reaching Australia.

A new variant of the Redline Stealer trojan, known for its use of Lua bytecode for malicious behavior, was identified. The trojan has been distributed via a compromised GitHub repository within Microsoft’s account, specifically through a zip file named Cheat.Lab.2.7.2.zip containing malicious MSI installers and PE files.

These files are altered versions of the Lua project files designed to execute Lua bytecode. This strategy effectively obfuscates the malicious code and enhances the malware's stealth by avoiding traditional script detection. Upon installation, it prompts the user to further spread the malware and establishes persistence through various methods, including scheduled tasks and changes in directory locations.

Communication with the command-and-control (C2) server is achieved through HTTP, sending stolen data like screenshots back to the attackers.

>> https://www.hendryadrian.com/redline-stealer-a-novel-approach/

MITRE Techniques and Procedures:

Technique: T1204 (User Execution)

• Procedure: Users are deceived into executing the malware by installing a zip file from a seemingly reputable source on GitHub.

Technique: T1140 (Deobfuscate/Decode Files or Information)

• Procedure: Utilizes Lua bytecode within a text file to hide malicious code, which is then compiled and executed at runtime using modified Lua binaries.

Technique: T1059.007 (Command and Scripting Interpreter: JavaScript/JScript)

• Procedure: Although not explicitly JavaScript or JScript, the use of Lua scripting achieves similar ends, executing scripts to perform malicious actions.

Technique: T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder)

• Procedure: Establishes persistence by creating scheduled tasks that execute the malware upon system startup.

Technique: T1027 (Obfuscated Files or Information)

• Procedure: Uses obfuscation through Lua bytecode to avoid detection by security software.

Technique: T1574.002 (Hijack Execution Flow: DLL Search Order Hijacking)

• Procedure: Ships and loads a modified lua51.dll to ensure that malicious code is executed instead of the legitimate library functions.

Technique: T1112 (Modify Registry)

• Procedure: Modifies system registry to change execution paths and potentially disable security measures.

Technique: T1071.001 (Application Layer Protocol: Web Protocols)

• Procedure: Communicates with C2 servers over HTTP, sending stolen data and receiving further commands.

Technique: T1056.001 (Input Capture: Keylogging)

• Procedure: Captures user input, including potential keylogging, to steal sensitive information.