Gamers seeking cheats are being deceived into downloading Lua-based malware capable of maintaining persistence on infected systems and deploying additional malicious payloads.
“These attacks exploit the widespread use of Lua gaming engine tools, especially among student gamers,” said Morphisec researcher Shmuel Uzan in a newly published report. He further noted that “this malware strain has seen significant activity across North America, South America, Europe, Asia, and Australia.”
The campaign was initially uncovered by OALabs in March 2024, where users were enticed to download a Lua-based malware loader. This was achieved by taking advantage of a GitHub vulnerability to host and distribute malicious payloads.
McAfee Labs later confirmed that threat actors employed similar techniques to distribute a variant of the RedLine information stealer, embedding malware-laden ZIP files within authentic Microsoft repositories.
GitHub responded by stating, “We have disabled user accounts and content in line with our Acceptable Use Policies, which prohibit content that promotes unlawful attacks or malware campaigns that cause technical harm.”
“We are continually investing in enhancing GitHub’s security and safeguarding our users, and we are exploring new measures to better defend against this type of activity.”
Morphisec’s investigation has revealed a shift in the malware delivery strategy, simplifying the process to avoid detection.
“The malware is now typically distributed via obfuscated Lua scripts instead of compiled Lua bytecode, which tends to draw less suspicion,” Uzan explained.
However, the overall infection process remains unchanged. Users searching for popular cheating script engines like Solara and Electron on Google are led to fake websites, which link to malicious ZIP archives hosted on various GitHub repositories.
Each ZIP archive contains four elements: a Lua compiler, a Lua runtime interpreter DLL (“lua51.dll”), an obfuscated Lua script, and a batch file (“launcher.bat”) that executes the Lua script via the Lua compiler.
In the next phase, the malicious Lua script – acting as a loader – establishes a connection with a command-and-control (C2) server, transmitting details about the compromised system. The server then issues instructions to either maintain persistence, hide malicious processes, or download additional payloads like Redone Stealer or CypherIT Loader.
“Infostealers are becoming more prominent, as the stolen credentials are sold to more advanced groups for later stages of attacks,” Uzan said. “RedLine, in particular, has a thriving market on the Dark Web for these stolen credentials.”
This disclosure comes just days after Kaspersky revealed a campaign targeting users searching for pirated versions of popular software on Yandex. The operation aims to distribute SilentCryptoMiner, an open-source cryptocurrency miner, through an AutoIt-compiled binary implant.
Most of the attacks focused on users in Russia, with additional targets in Belarus, India, Uzbekistan, Kazakhstan, Germany, Algeria, the Czech Republic, Mozambique, and Turkey.
According to a report from the company last week, “Malware was also spread through Telegram channels aimed at crypto investors and via descriptions and comments on YouTube videos related to cryptocurrency, cheats, and gambling.”
While the attackers’ primary goal is to secretly mine cryptocurrency for profit, some variants of the malware are capable of performing additional harmful actions, such as replacing cryptocurrency wallet addresses in the clipboard and capturing screenshots.
Source: TheHackerNews
