Players Deceived Into Installing Lua-Based Malicious Software via False Cheating Script Engines
Gamers seeking game hacks are being deceived into downloading malicious software based on Lua that can establish persistence on compromised systems and distribute additional payloads.
“These assaults exploit the popularity of Lua gaming engine enhancers within the student gaming community,” a researcher from Morphisec named Shmuel Uzan stated in a recent report, mentioning that “this strain of malware is widely spread across North America, South America, Europe, Asia, and even Australia.”
Information regarding the scheme was initially detailed by OALabs in March 2024, where users were enticed into downloading a malware loader coded in Lua by exploiting an anomaly in GitHub to launch malevolent payloads.
In a follow-up examination, McAfee Labs detailed the utilization of the same method by threat actors to introduce a variant of the RedLine data stealer by hosting the malware-carrying ZIP files inside genuine Microsoft repositories.
“We took actions in line with GitHub’s Acceptable Use Policies by deactivating user accounts and content, which prohibits the publication of content supporting illegal attacks or harmful malware campaigns,” GitHub informed The Hacker News previously.
“We are consistently investing in enhancing GitHub and protecting our users, exploring ways to enhance protection against this kind of activity.”
An examination by Morphisec of the situation identified a shift in the way the malware is distributed, a simplification likely intended to avoid detection.
“The malware is commonly spread using disguised Lua scripts rather than compiled Lua bytecode, as the latter can easily raise suspicion,” Uzan stated.
However, the general infection process remains the same in that individuals searching for popular cheat script engines such as Solara and Electron on Google are directed to bogus websites that contain links to malicious ZIP files in different GitHub repositories.
The ZIP file comprises four components: A Lua compiler, a Lua runtime interpreter DLL (“lua51.dll”), a disguised Lua script, and a batch file (“launcher.bat”) used to execute the Lua script using the Lua compiler.
In the subsequent phase, the loader – i.e., the malicious Lua script – establishes communication with a command-and-control (C2) server and transmits information about the infected system. The server then assigns tasks, either for maintaining persistence, concealing processes, or downloading new payloads like Redone Stealer or CypherIT Loader.
“Information thieves are gaining traction in the field as the stolen credentials from these attacks are traded to more sophisticated factions for use in later attack stages,” Uzan highlighted. “RedLine notably has a thriving market on the Dark web for trading these stolen credentials.”
This revelation follows shortly after Kaspersky reported instances where individuals seeking pirated versions of popular software on Yandex are being aimed as part of a campaign to disseminate an open-source cryptocurrency mining tool called SilentCryptoMiner through an AutoIt compiled binary implant.
The bulk of the attacks were directed at users in Russia, followed by Belarus, India, Uzbekistan, Kazakhstan, Germany, Algeria, the Czech Republic, Mozambique, and Turkey.
“The malware was also spread through Telegram channels targeting cryptocurrency investors and through descriptions and comments on YouTube videos related to cryptocurrency, hacks, and betting,” as mentioned in a recent report by the company outlining the campaign.
“While the primary objective of the attackers is to mine cryptocurrency discreetly for profit, some versions of the malware are capable of engaging in additional malicious actions, such as substituting cryptocurrency wallets in the clipboard and capturing screenshots.”
About Author
