Users looking for cheats for the game are tricked into downloading Lua-based malware, which is able to secure the infected systems and deliver additional payloads.
“These attacks benefit from the popularity of Lua game engine add-ons among the student gaming community,” Shmuel Uzan, researcher at Morphisec. said a new report published today adds that “this strain of malware is widespread in North America, South America, Europe, Asia and even Australia.”
There were details about the company documented for the first time OALabs in March 2024, in which users downloaded a malware downloader written in Lua, using GitHub’s feature to host malicious payloads.
McAfee Labs, in a the following analysisdetailed threat actors’ use of the same technique to deliver a variant of the RedLine information stealer by placing malware ZIP archives in legitimate Microsoft repositories.
“We have disabled user accounts and content in accordance with GitHub’s Acceptable Use Policies, which prohibit the publication of content that directly supports illegal active attacks or malware campaigns that cause technical harm,” GitHub told The Hacker News at the time.
“We continue to invest in improving the security of GitHub and our users, and we are looking at ways to better protect against this activity.”
Analysis of Morphisec’s activities revealed a shift in the malware’s delivery mechanism, a simplification that is likely an attempt to fly under the radar.
“Malware is often delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can be more easily suspected,” Ouzan said.
However, the overall infection chain remains the same in that users who Google popular scripting cheat engines like Solara and Electron are presented with fake websites that embed links to mined ZIP archives in various GitHub repositories.
The ZIP archive comes with four components: a Lua compiler, a Lua runtime interpreter DLL (“lua51.dll”), an obfuscated Lua script, and a batch file (“launcher.bat”), the latter of which is used to execute a Lua script using the Lua compiler.
In the next step, the loader, ie. a malicious Lua script, establishes communication with the command and control (C2) server and sends detailed information about the infected system. In response, the server issues tasks that are either responsible for keeping things safe, hiding processes, or loading new payloads like Redone Stealer or CypherIT downloader.
“Information thieves are gaining prominence in the landscape as credentials obtained from these attacks are sold to more sophisticated groups for use in later stages of the attack,” Uzan said. “RedLine in particular has a huge market on the Dark Web selling these harvested credentials.”
The disclosure comes days after Kaspersky reported that users looking for pirated versions of the popular software on Yandex were targeted in a campaign to spread an open-source cryptocurrency miner called SilentCryptoMiner using the compiled AutoIt binary implant.
Most of the attacks were directed at users from Russia, followed by Belarus, India, Uzbekistan, Kazakhstan, Germany, Algeria, the Czech Republic, Mozambique and Turkey.
“The malware was also distributed through Telegram channels targeting crypto investors, as well as in the descriptions and comments of YouTube videos about cryptocurrency, cheats and gambling,” the company said in a statement. said in last week’s report.
“Although the attackers’ main goal is to profit by secretly mining cryptocurrency, some variants of the malware can perform additional malicious activities, such as replacing cryptocurrency wallets in the clipboard and taking screenshots.”
