Lua字节码隐蔽性高的RedLine Stealer变种

A new information stealer has been found leveraging Lua bytecode for added stealth and sophistication, findings from McAfee Labs reveal.

发现了一个新的信息窃取者，利用Lua字节码增加了隐蔽性和复杂性，来自McAfee Labs的研究结果显示。

The cybersecurity firm has assessed it to be a variant of a known malware called RedLine Stealer owing to the fact that the command-and-control (C2) server IP address has been previously identified as associated with the malware.

这家网络安全公司对它进行了评估，认为它是一种已知恶意软件RedLine Stealer的变种，因为命令和控制（C2）服务器IP地址被确认与该恶意软件相关联。

RedLine Stealer, first documented in March 2020, is typically delivered via email and malvertising campaigns, either directly or via exploit kits and loader malware like dotRunpeX and HijackLoader.

RedLine Stealer于2020年3月首次被记录，通常通过电子邮件和恶意广告活动传播，直接或通过利用包和类似dotRunpeX和HijackLoader的加载器恶意软件。

The off-the-shelf malware is capable of harvesting information from cryptocurrency wallets, VPN software, and web browsers, such as saved credentials, autocomplete data, credit card information, and geolocations based on the victims' IP addresses.

这种现成的恶意软件能够从加密货币钱包、VPN软件和网络浏览器中收集信息，如保存的凭据、自动完成数据、信用卡信息和基于受害者IP地址的地理位置。

Over the years, RedLine Stealer has been co-opted by several threat actors into their attack chains, making it a prevalent strain spanning North America, South America, Europe, Asia, and Australia.

多年来，RedLine Stealer已被几个威胁行为者纳入他们的攻击链，使其成为一种流行的恶意软件，在北美、南美、欧洲、亚洲和澳大利亚广泛传播。

The infection sequence identified by McAfee abuses GitHub, using two of Microsoft's official repositories for its implementation of the C++ Standard Library (STL) and vcpkg to host the malware-laden payload in the form of ZIP archives.

McAfee确认的感染序列滥用GitHub，使用Microsoft的两个官方存储库来实现C++标准库（STL）和vcpkg，以托管恶意软件加载负载，呈ZIP档案形式。

It's currently not known how the files came to be uploaded to the repository, but the technique is a sign that threat actors are weaponizing the trust associated with trustworthy repositories to distribute malware. The ZIP files are no longer available for download from the Microsoft repositories.

目前尚不清楚文件是如何上传到存储库的，但这种技术表明威胁行为者正在利用与可信存储库相关的信任来分发恶意软件。这些ZIP文件已经从Microsoft存储库中移除。

The ZIP archive ("Cheat.Lab.2.7.2.zip" and "Cheater.Pro.1.6.0.zip") masquerades as a game cheat, indicating that gamers are likely the target of the campaign. It comes fitted with an MSI installer that's designed to run the malicious Lua bytecode.

ZIP档案（"Cheat.Lab.2.7.2.zip"和"Cheater.Pro.1.6.0.zip"）伪装成游戏作弊，表明游戏玩家很可能是该活动的目标。它配备了一个MSI安装程序，旨在运行恶意的Lua字节码。

"This approach provides the advantage of obfuscating malicious stings and avoiding the use of easily recognizable scripts like wscript, JScript, or PowerShell script, thereby enhancing stealth and evasion capabilities for the threat actor," researchers Mohansundaram M. and Neil Tyagi said.

"这种方法的优势在于混淆恶意字符串，避免使用易识别的脚本，如wscript、JScript或PowerShell脚本，从而增强威胁行为者的隐身和逃避能力，"研究人员Mohansundaram M.和Neil Tyagi说。

In an attempt to pass the malware to other systems, the MSI installer displays a message urging the victim to share the program with their friends in order to get the unlocked version of the software.

为了将恶意软件传播到其他系统，MSI安装程序显示一条消息，敦促受害者与朋友分享该程序，以获得软件的解锁版本。

The "compiler.exe" executable within the installer, upon running the Lua bytecode embedded within the "readme.txt" file present in the ZIP archive, sets up persistence on the host using a scheduled task and drops a CMD file, which, in turn, runs "compiler.exe" under another name "NzUw.exe."

安装程序中的"compiler.exe"可执行文件，在运行ZIP档案中的"readme.txt"文件中嵌入的Lua字节码后，使用计划任务在主机上设置持久性，并且会释放一个CMD文件，该文件反过来以另一个名字"NzUw.exe"运行"compiler.exe"。

In the final stage, "NzUw.exe" initiates communications with a command-and-control (C2) server over HTTP, the aforementioned IP address attributed to RedLine.

在最后阶段，"NzUw.exe"通过HTTP与命令和控制（C2）服务器进行通信，前述的IP地址被归属为RedLine。

The malware functions more like a backdoor, carrying out tasks fetched from the C2 server (e.g., taking screenshots) and exfiltrating the results back to it.

这种恶意软件更像是一个后门，执行从C2服务器获取的任务（例如拍摄屏幕截图）并将结果外传回服务器。

The exact method by which the links to the ZIP archives are distributed is presently unknown. Earlier this month, Checkmarx revealed how threat actors are taking advantage of GitHub's search functionality to trick unsuspecting users into downloading malware-laden repositories.

目前尚不清楚是通过什么方法分发ZIP档案的链接。本月早些时候，Checkmarx披露了威胁行为者如何利用GitHub的搜索功能欺骗毫无戒心的用户下载恶意软件存储库。

The development comes as Recorded Future detailed a "large-scale Russian-language cybercrime operation" that singles out the gaming community and leverages fake Web3 gaming lures to deliver malware capable of stealing sensitive information from macOS and Windows users, a technique called trap phishing.

这一发展是因为Recorded Future详细描述了一个"大规模俄语语言网络犯罪行动"，针对游戏社区并利用虚假Web3游戏诱饵传播能够从macOS和Windows用户窃取敏感信息的恶意软件，一种称为陷阱网络钓鱼的技术。

"The campaign involves creating imitation Web3 gaming projects with slight name and branding modifications to appear legitimate, along with fake social media accounts to bolster their authenticity," Insikt Group said.

"该活动涉及创建模仿Web3游戏项目，稍作名称和品牌修改以显得合法，还配备虚假社交媒体账户以增强真实性，"Insikt Group说。

"The main webpages of these projects offer downloads that, once installed, infect devices with various types of "infostealer" malware such as Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro, depending on the operating system."

"这些项目的主要网页提供下载，一旦安装，即会在设备上感染各种类型的"信息窃取"恶意软件，如Atomic macOS Stealer（AMOS）、Stealc、Rhadamanthys或RisePro，具体取决于操作系统。"

It also follows a wave of malware campaigns targeting enterprise environments with loaders such as PikaBot and a new strain called NewBot Loader.

这也是一波瞄准企业环境的恶意软件活动，使用PikaBot等加载器以及一种名为NewBot Loader的新变种。

"Attackers demonstrated a diverse range of techniques and infection vectors in each campaign, aiming to deliver the PikaBot payload," McAfee said.

"攻击者在每次活动中展示了各种技术和感染向量，旨在传递PikaBot负载，"McAfee说。

This includes a phishing attack that takes advantage of email conversation hijacking and a Microsoft Outlook flaw called MonikerLink (CVE-2024-21413) to entice victims into downloading the malware from an SMB share.

包括利用电子邮件对话劫持和名为MonikerLink的Microsoft Outlook漏洞（CVE-2024-21413）的网络钓鱼攻击，鼓励受害者从SMB共享中下载恶意软件。

参考资料

[1]https://thehackernews.com/2024/04/new-redline-stealer-variant-disguised.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：Lua字节码隐蔽性高的RedLine Stealer变种