Recently, Morphisec Threat Labs identified and prevented multiple sophisticated Lua malware variants targeting the educational sector. These attacks capitalize on the popularity of Lua gaming engine supplements within the student gamer community. 

Introduction 

In March 2024, OALabs reported on a new packed Lua loader aimed at the gaming community. This report was followed in April by additional threat insights by McAfee. In the months since, Morphisec Threat Labs observed its continued spread and evolution, with telemetry data indicating that this malware strain is highly prevalent across North America, South America, Europe, Asia, and even Australia. This post provides an analysis of the loader associated with this persistent attack. 

Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily. 

We would like to credit @Herrcore for their assistance in some of the deobfuscation efforts.

Technical Introduction

We have observed that users searching for game cheats often end up downloading files from platforms like GitHub or similar sources. Today, Lua malware is typically delivered in the form of an installer or a ZIP archive. The ZIP archive usually contains four components: a Lua compiler, a Lua DLL file, an obfuscated Lua script, and a batch file. The batch file executes the Lua script by passing arguments to the Lua compiler. 

• Lua51.dll - LuaJIT Runtime interpreter 

• Compiler.exe - a thin compiled Lua loader 

• Lua script – Malicious Lua script 

• Launcher.bat - Batch script used to run Compiler.exe with the malicious script as parameter 

Post execution of the batch file, the loader establishes communication with a C2 server, sending details about the infected machine. In response, the server provides tasks divided into two categories: Lua loader tasks, which involve actions such as maintaining persistence or hiding processes, and task payloads, which focus on downloading new payloads and applying configurations to them. 

We will get into more details throughout this post. 

Delivery Techniques 

The delivery techniques, such as SEO poisoning, remain largely unchanged from those previously described by OALabs and McAfee. Notably, we identified an advertisement for the Solara and Electron executors - popular cheating script engines frequently associated with Roblox—leading to various Lua malware variants hosted across multiple GitHub repositories. 

Most of the download links are associated with github.com/user-attachments push requests. 

Compiler.exe and lua51.dll 

The lua51.dll is a widely recognized runtime interpreter for Lua, often employed as an “SDK” to extend the functionality of existing software through an accessible and flexible scripting engine.  

The Compiler.exe acts as a lightweight loader, responsible for loading lua51.dll and invoking its “SDK” exported functions to process the specified script. In earlier campaigns, Compiler.exe was designed to load and execute Lua bytecode using lua51.dll. However, in the more recent campaigns, it loads a plain Lua script file instead, leveraging Lua's runtime capabilities to interpret the obfuscated script dynamically, allowing for greater flexibility in executing malicious logic. 

Lua Script (config) 

As previously identified by OALabs, the script is obfuscated using the Prometheus obfuscator. In their analysis, they needed to decompile the bytecode; however, in the recent campaigns described here, the parameter is no longer a bytecode file but rather a directly obfuscated script file. 

Prometheus Obfuscator is a tool designed to enhance software security by employing advanced obfuscation techniques. Its primary purpose is to protect applications from reverse engineering and unauthorized access, making it significantly more difficult for researchers to analyze and understand the code. With capabilities such as code transformation and control flow obfuscation, Prometheus ensures that the underlying logic remains concealed from scrutiny. 

The content of the Lua obfuscated script is seen below: 

A simple beautification of the script will result in (similar string structure is identified at the bytecode file samples):  

Post deobfuscation, we can easily dump the strings from memory: 

Anti-reversing 

The obfuscated code is initially written in a single line, and when using formatting tools to reorganize the code structure for readability, an error message “Tamper Detected!” appears during code execution. 

The obfuscator's method involves line detection, where it deliberately triggers an error at least twice from different locations. It then verifies whether the line numbers are the same for both areas of the code. 

An example that demonstrates the technique: 

1. The attacker defines a function that deliberately throws an error (division by zero).
   
2. The function throws an error and parses the line of the error to know from which line in the code it occurred. The pcall function makes a call to another function and returns an array. The first element indicates success, and the second element contains the error message if it failed. In this case, the error format in Lua is structured as `filename:line_number:message`.
3. An additional inline function is generated to ensure that the error is thrown from a different location in the code. Upon execution the function checks whether the line number in the error message matches the previous line number to determine if the code has been edited. 
   

Prometheus obfuscator implementation for this anti-reformatting / anti-beautify functionality is well described here.

The attacker utilizes the `ffi` library for the direct execution of C code.

What is FFI? 

The FFI library allows Lua code to call C functions and use C data structures directly without needing to write C wrapper code. This is particularly useful for integrating Lua with C libraries or for improving the performance of certain operations by leveraging native C functions. 

Import Modules and Functions 

The script imports the modules by traversing the PEB (Process Environment Block), and then uses the module's EXPORT table: 

Mutex-based 

The script uses a mutex using a long constant string  

In some cases, this string includes a concatenated, predefined number. 

Persistence 

The script establishes persistence by generating a random task name from a predefined list using the following command:  

`schtasks /create /sc daily /st %02d:%02d /f <Name> /tn <App> /tr <Path>`

Potential task name list: 

Information gathering 

In the first stage, the script sets the same name for the `UserAgent` as the one defined for the `mutex`, then initiates a GET request to `http://ip-api[.]com/json/` to retrieve information about the victim. During this process, the script validates network connection by attempting to communicate with `https://www.microsoft.com`. 

Then the script retrieves the `MachineGuid` from the attacker's machine (located at `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography`). This string is concatinated along with the `loaderId`, `GUID`, `computer name`, `user name`, `IP`, `country`, `city`, `timezone`, `operating system`, and `architecture`.

Afterward, the script encodes the string using a simple symmetric encryption method that combines a basic form of a stream cipher or XOR cipher with byte addition. After encryption, the script converts the bytes to Base64 format. 

Finally, the script captures a screenshot of the compromised computer and sends the adversary C2, the collected data from the computer along with screenshots. 

C2 communication  

After the data is sent to the attacker's server, the server can respond in one of two ways: 

1. Blocked – indicating the request is denied.
2. JSON Response – commands of the following categories; `loader` and `tasks`.
   • Loader - These are actions for the "lua loader" to execute, such as hiding, restarting, maintaining persistence, etc.
   • Tasks - These are meant to load additional payloads and define which configurations should be applied when loading them.

If the server returns a "blocked" response, the malware attempts to connect to an alternate predefined address. If that is also blocked, it accesses pastebin[.]com/raw/mmABULhh to retrieve a new address. If all attempts fail, the process terminates. 

If a valid response is received, the `lua loader` saves the output in the `C:\Users\<User>\Pictures\` folder, using the machine’s `GUID` as the filename. 
After saving the file, the loader executes the required tasks and then sends a response back to the server with the task ID (that was initially provided. 
The payloads are CypherIT Loader / Crypter , Redline). 

Loader Config 

Task Config 

Python code snippet for decoding the strings:

Conclusion 

Based on our investigation, the malware ultimately leads to the deployment of Infostealers, notably Redline Infostealers. Infostealers are gaining prominence in the landscape as the harvested credentials from these attacks are sold to more sophisticated groups to be used in later stages of the attack. Redline notably has a huge market in Dark web selling these harvested credentials. 

How Morphisec Helps 

Automated Moving Target Defense (AMTD) from Morphisec effectively stops malware attacks at various stages of the attack chain. Morphisec doesn’t rely on signature or behavioral patterns. Instead, it uses its patented AMTD technology to prevent the attack at its earliest stages, preemptively blocking attacks on memory and applications, and effectively remediating the need for response. 

Schedule a demo today to see how Morphisec stops Lua malware and other new and emerging threats. 

IOCs 

Hashes

Resources 

• GitHub Bug Used to Infect Game Hackers With Lua Malware (openanalysis.net)

• Redline Stealer: A Novel Approach (mcafee.com)

   

• Hooking LuaJIT (nickcano.com)

•  Threat Thursday: SunSeed Malware Targets Ukraine Refugee Aid Efforts (blackberry.com)