New RedLine Stealer Variant Disguised as Game Cheats Using Lua Bytecode for Stealth

A new information stealer has been found leveraging Lua bytecode for added stealth and sophistication, findings from McAfee Labs reveal. The cybersecurity firm has assessed it to be a variant of a known malware called RedLine Stealer owing to the fact that the command-and-control (C2) server IP address has been previously identified as associated with the malware. RedLine Stealer,&nbsp

A new information stealer has been found leveraging Lua bytecode for added stealth and sophistication, findings from McAfee Labs reveal.

The cybersecurity firm has assessed it to be a variant of a known malware called RedLine Stealer owing to the fact that the command-and-control (C2) server IP address has been previously identified as associated with the malware.

RedLine Stealer, first documented in March 2020, is typically delivered via email and malvertising campaigns, either directly or via exploit kits and loader malware like dotRunpeX and HijackLoader.

The off-the-shelf malware is capable of harvesting information from cryptocurrency wallets, VPN software, and web browsers, such as saved credentials, autocomplete data, credit card information, and geolocations based on the victims’ IP addresses.

Over the years, RedLine Stealer has been co-opted by several threat actors into their attack chains, making it a prevalent strain spanning North America, South America, Europe, Asia, and Australia.

The infection sequence identified by McAfee abuses GitHub, using two of Microsoft’s official repositories for its implementation of the C++ Standard Library (STL) and vcpkg to host the malware-laden payload in the form of ZIP archives.

It’s currently not known how the files came to be uploaded to the repository, but the technique is a sign that threat actors are weaponizing the trust associated with trustworthy repositories to distribute malware. The ZIP files are no longer available for download from the Microsoft repositories.

The ZIP archive (“” and “”) masquerades as a game cheat, indicating that gamers are likely the target of the campaign. It comes fitted with an MSI installer that’s designed to run the malicious Lua bytecode.

“This approach provides the advantage of obfuscating malicious stings and avoiding the use of easily recognizable scripts like wscript, JScript, or PowerShell script, thereby enhancing stealth and evasion capabilities for the threat actor,” researchers Mohansundaram M. and Neil Tyagi said.

In an attempt to pass the malware to other systems, the MSI installer displays a message urging the victim to share the program with their friends in order to get the unlocked version of the software.

The “compiler.exe” executable within the installer, upon running the Lua bytecode embedded within the “readme.txt” file present in the ZIP archive, sets up persistence on the host using a scheduled task and drops a CMD file, which, in turn, runs “compiler.exe” under another name “NzUw.exe.”

In the final stage, “NzUw.exe” initiates communications with a command-and-control (C2) server over HTTP, the aforementioned IP address attributed to RedLine.

The malware functions more like a backdoor, carrying out tasks fetched from the C2 server (e.g., taking screenshots) and exfiltrating the results back to it.

The exact method by which the links to the ZIP archives are distributed is presently unknown. Earlier this month, Checkmarx revealed how threat actors are taking advantage of GitHub’s search functionality to trick unsuspecting users into downloading malware-laden repositories.

The development comes as Recorded Future detailed a “large-scale Russian-language cybercrime operation” that singles out the gaming community and leverages fake Web3 gaming lures to deliver malware capable of stealing sensitive information from macOS and Windows users, a technique called trap phishing.

“The campaign involves creating imitation Web3 gaming projects with slight name and branding modifications to appear legitimate, along with fake social media accounts to bolster their authenticity,” Insikt Group said.

“The main webpages of these projects offer downloads that, once installed, infect devices with various types of “infostealer” malware such as Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro, depending on the operating system.”

It also follows a wave of malware campaigns targeting enterprise environments with loaders such as PikaBot and a new strain called NewBot Loader.

“Attackers demonstrated a diverse range of techniques and infection vectors in each campaign, aiming to deliver the PikaBot payload,” McAfee said.

This includes a phishing attack that takes advantage of email conversation hijacking and a Microsoft Outlook flaw called MonikerLink (CVE-2024-21413) to entice victims into downloading the malware from an SMB share.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack

Next Post

Pentera’s 2024 Report Reveals Hundreds of Security Events per Week, Highlighting the Criticality of Continuous Validation

Related Posts

For March’s Patch Tuesday, no zero-day flaws

Microsoft this week pushed out 61 Patch Tuesday updates with no reports of public disclosures or other zero-days affecting the larger ecosystem (Windows, Office, .NET). Though there are three updated packages from February, they're just informational changes with no further action is required.The team at Readiness has crafted this helpful infographic outlining the risks associated with each of the March updates.Known issues Each month, Microsoft publishes a list of known issues that relate to the operating system and platforms included in the latest update cycle; for March, there are two minor issues reported:To read this article in full, please click here
Read More

Iranian MuddyWater Hackers Adopt New C2 Tool ‘DarkBeatC2’ in Latest Campaign

The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. "While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater’s methods remain constant," Deep
Read More