Authored by Mohansundaram M and Neil Tyagi
A brand new packed variant of the Redline Stealer trojan was noticed within the wild, leveraging Lua bytecode to carry out malicious habits.
An infection Chain
- GitHub was being abused to host the malware file at Microsoft’s official account within the vcpkg repository https[:]//github[.]com/microsoft/vcpkg/recordsdata/14125503/Cheat.Lab.2.7.2.zip
- McAfee Net Advisor blocks entry to this malicious obtain
- Cheat.Lab.2.7.2.zip is a zipper file with hash 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610
- The zip file incorporates an MSI installer.
- The MSI installer incorporates 2 PE recordsdata and a purported textual content file.
- Compiler.exe and lua51.dll are binaries from the Lua venture. Nonetheless, they’re modified barely by a risk actor to serve their function; they’re used right here with readme.txt (Which incorporates the Lua bytecode) to compile and execute at Runtime.
- Lua JIT is a Simply-In-Time Compiler (JIT) for the Lua programming language.
- The magic quantity 1B 4C 4A 02 usually corresponds to Lua 5.1 bytecode.
- The above picture is readme.txt, which incorporates the Lua bytecode. This method gives the benefit of obfuscating malicious stings and avoiding using simply recognizable scripts like wscript, JScript, or PowerShell script, thereby enhancing stealth and evasion capabilities for the risk actor.
- Upon execution, the MSI installer shows a person interface.
- Throughout set up, a textual content message is displayed urging the person to unfold the malware by putting in it onto a pal’s laptop to get the total software model.
- Throughout set up, we will observe that three recordsdata are being written to Disk to C:program FilesCheat Lab Inc Cheat Lab path.
- Beneath, the three recordsdata are positioned inside the brand new path.
-
- Right here, we see that compiler.exe is executed by msiexec.exe and takes readme.txt as an argument. Additionally, the Blue Highlighted half reveals lua51.dll being loaded into compiler.exe. Lua51.dll is a supporting DLL for compiler.exe to operate, so the risk actor has shipped the DLL together with the 2 recordsdata.
- Right here, we see that compiler.exe is executed by msiexec.exe and takes readme.txt as an argument. Additionally, the Blue Highlighted half reveals lua51.dll being loaded into compiler.exe. Lua51.dll is a supporting DLL for compiler.exe to operate, so the risk actor has shipped the DLL together with the 2 recordsdata.
-
- Throughout set up, msiexec.exe creates a scheduled activity to execute compiler.exe with readme.txt as an argument.
- Other than the above approach for persistence, this malware makes use of a 2nd fallback approach to make sure execution.
- It copies the three recordsdata to a different folder in program information with a really lengthy and random path.
- Be aware that the identify compiler.exe has been modified to NzUW.exe.
- Then it drops a file ErrorHandler.cmd at C:WindowsSetupScripts
- The contents of cmd may be seen right here. It executes compiler.exe below the brand new identify of NzUw.exe with the Lua byte code as a parameter.
- Executing ErrorHandler.cmd makes use of a LolBin within the system32 folder. For that, it creates one other scheduled activity.
-
- The above picture reveals a brand new activity created with Home windows Setup, which can launch C:Windowssystem32oobeSetup.exe with none argument.
- Seems, if you happen to place your payload in c:WINDOWSSetupScriptsErrorHandler.cmd, c:WINDOWSsystem32oobeSetup.exe will load it at any time when an error happens.
Supply: Add a Customized Script to Home windows Setup | Microsoft Study
-
- c:WINDOWSsystem32oobeSetup.exe is anticipating an argument. When it isn’t offered, it causes an error, which ends up in the execution of ErrorHandler.cmd, which executes compiler.exe, which hundreds the malicious Lua code.
- We will affirm this within the beneath course of tree.
We will affirm that c:WINDOWSsystem32oobeSetup.exe launches cmd.exe with ErrorHandler.cmd script as argument, which runs NzUw.exe(compiler.exe)
-
- It then checks the IP from the place it’s being executed and makes use of ip-API to realize that.
- It then checks the IP from the place it’s being executed and makes use of ip-API to realize that.
-
- We will see the community packet from api-api.com; that is written as a JSON object to Disk within the inetCache folder.
- We will see the community packet from api-api.com; that is written as a JSON object to Disk within the inetCache folder.
-
- We will see procmon logs for a similar.
- We will see procmon logs for a similar.
- We will see JSON was written to Disk.
C2 Communication and stealer exercise
-
- Communication with c2 happens over HTTP.
- Communication with c2 happens over HTTP.
-
- We will see that the server despatched the duty ID of OTMsOTYs for the contaminated machine to carry out. (on this case, taking screenshots)
- A base64 encoded string is returned.
- We will see that the server despatched the duty ID of OTMsOTYs for the contaminated machine to carry out. (on this case, taking screenshots)
-
- An HTTP PUT request was despatched to the risk actors server with the URL /loader/display.
- IP is attributed to the redline household, with many engines marking it as malicious.
- Additional inspection of the packet reveals it’s a bitmap picture file.
- The identify of the file is Display screen.bmp
- Additionally, observe the distinctive person agent used on this put request, i.e., Winter
- After Dumping the bitmap picture useful resource from Wireshark to disc and opening it as a .bmp(bitmap picture) extension, we see.
- The screenshot was despatched to the risk actors’ server.
Evaluation of bytecode File
- It’s difficult to get the true decomplication of the bytecode file.
- Many open supply decompilers have been used, giving a barely totally different Lua script.
- The script file was not compiling and throwing some errors.
- The script file was sensitized based mostly on errors in order that it may very well be compiled.
- One desk (var_0_19) is populated by passing information values to 2 capabilities.
- Within the console output, we will see base64 encoded values being saved in var_0_19.
- These base64 strings decode to extra encoded information and to not plain strings.
- All information in var_0_19 is assigned to var_0_26
-
- The identical approach is populating 2nd desk (var_0_20)
- It incorporates the substitution key for encoded information.
-
- The above pic is a decryption loop. It iterates over var_0_26 component by component and decrypts it.
- This loop can be very lengthy and incorporates many junk traces.
- The loop ends with assigning the decrypted values again to var_0_26.
-
- We place the breakpoint on line 1174 and watch the values of var_0_26.
- We place the breakpoint on line 1174 and watch the values of var_0_26.
-
- As we hit the breakpoint a number of instances, we see extra encoded information decrypted within the watch window.
- As we hit the breakpoint a number of instances, we see extra encoded information decrypted within the watch window.
- We will see decrypted strings like Tamper Detected! In var_0_26
Loading luajit bytcode:
Earlier than loading the luajit bytecode, a brand new state is created. Every Lua state maintains its world surroundings, stack, and set of loaded libraries, offering isolation between totally different situations of Lua code.
It took desk values and processed them utilizing the beneath floating-point arithmetic and xor instruction.
- On this weblog, we noticed the assorted strategies risk actors use to infiltrate person methods and exfiltrate their information.
- Microsoft has since eliminated these recordsdata from the repositories.
Indicators of Compromise
Cheat.Lab.2.7.2.zip | 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610 |
Cheat.Lab.2.7.2.zip | https[:]//github[.]com/microsoft/vcpkg/recordsdata/14125503/Cheat.Lab.2.7.2.zip
|
lua51.dll | 873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997 |
readme.txt | 751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad |
compiler.exe | dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a |
Redline C2 | 213[.]248[.]43[.]58 |
Trojanised Git Repo | hxxps://github.com/microsoft/STL/recordsdata/14432565/Cheater.Professional.1.6.0.zip |