Users searching for game cheats are being tricked into downloading a Lua-based malware that is capable of establishing persistence on infected systems and delivering additional payloads.
"These attacks capitalize on the popularity of Lua gaming engine supplements within the student gamer community," Morphisec researcher Shmuel Uzan said in a new report published today, adding "this malware strain is highly prevalent across North America, South America, Europe, Asia, and even Australia."
Details about the campaign were first documented by OALabs in March 2024, in which users were lured into downloading a malware loader written in Lua by exploiting a quirk in GitHub to stage malicious payloads.
McAfee Labs, in a subsequent analysis, detailed threat actors' use of the same technique to deliver a variant of the RedLine information stealer by hosting the malware-bearing ZIP archives within legitimate Microsoft repositories.
"We disabled user accounts and content in accordance with GitHub's Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms," GitHub told The Hacker News at the time.
"We continue to invest in improving the security of GitHub and our users, and are looking into measures to better protect against this activity."
Morphisec's analysis of the activity has uncovered a shift in the malware delivery mechanism, a simplification that's likely an effort to fly under the radar.
"The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily," Uzan said.
That said, the overall infection chain remains unchanged in that users searching for popular cheating script engines like Solara and Electron on Google are served fake websites that embed links to booby-trapped ZIP archives on various GitHub repositories.
The ZIP archive comes with four components: A Lua compiler, a Lua runtime interpreter DLL ("lua51.dll"), an obfuscated Lua script, and a batch file ("launcher.bat"), the last of which is used to execute the Lua script using the Lua compiler.
In the next stage, the loader – i.e., the malicious Lua script – establishes communications with a command-and-control (C2) server and sends details about the infected system. The server, in response, issues tasks that are either responsible for maintaining persistence or hiding processes, or downloading new payloads such as Redone Stealer or CypherIT Loader.
"Infostealers are gaining prominence in the landscape as the harvested credentials from these attacks are sold to more sophisticated groups to be used in later stages of the attack," Uzan said. "RedLine notably has a huge market in Dark web selling these harvested credentials."
The disclosure comes days after Kaspersky reported that users looking for pirated versions of popular software on Yandex are being targeted as part of a campaign designed to distribute an open-source cryptocurrency miner named SilentCryptoMiner by means of an AutoIt compiled binary implant.
A majority of the attacks targeted users in Russia, followed by Belarus, India, Uzbekistan, Kazakhstan, Germany, Algeria, the Czech Republic, Mozambique, and Turkey.
"Malware was also distributed through Telegram channels targeted at crypto investors and in descriptions and comments on YouTube videos about cryptocurrency, cheats, and gambling," the company said in a report last week.
"Even though the main goal of the attackers is to make profit by stealthily mining cryptocurrency, some variants of the malware can perform additional malicious activity, such as replacing cryptocurrency wallets in the clipboard and taking screenshots."
Update
Russian cybersecurity company Doctor Web has shed light on a large-scale campaign that employs fake Microsoft Excel software, game cheats, and online trading bots to deliver SilentCryptoMiner and clipper malware, corroborating findings from Kaspersky.
The activity has impacted no less than 28,000 individuals from Russia, Belarus, Uzbekistan, Kazakhstan, Ukraine, Kyrgyzstan, and Turkey, netting the adversary over $6,000 in cryptocurrency using the clipper alone.
"The source of infection is fraudulent pages created by attackers on GitHub (note that such activity is prohibited by the platform's rules) or YouTube pages containing malware links in the description below the video," Doctor Web noted in a report released on October 8, 2024.
Users who end up clicking on the links are delivered a self-extracting, password-protected archive that ultimately paves the way for the deployment of the miner ("deviceId.dll") and clipper malware ("7zxa.dll") payloads.