Malware Found In Microsofts Official GitHub

In the continuously evolving landscape of cybersecurity, a new variant of the RedLine Stealer malware has been identified, demonstrating increased sophistication and stealth by leveraging Lua bytecode. This discovery was recently reported by McAfee Labs, who linked the malware to a command-and-control (C2) server previously associated with RedLine Stealer activities. This malware is notorious for its capability to extract sensitive data from cryptocurrency wallets, VPN software, and web browsers, including saved credentials and credit card information.

RedLine Stealer was first documented in March 2020 and is known for its widespread distribution methods which include email campaigns, malvertising, and exploitation via loader malware like dotRunpeX and HijackLoader. Over time, it has become a favored tool for various cybercriminal groups across continents including North America, South America, Europe, Asia, and Australia.

The recent variant uncovered by McAfee exhibits a troubling use of GitHub—a platform known for hosting and sharing code—to distribute the malware. Attackers uploaded malicious ZIP archives to Microsoft’s official repositories for its C++ Standard Library (STL) and vcpkg, exploiting the trust associated with these reputable sources. The files, named "Cheat.Lab.2.7.2.zip" and "Cheater.Pro.1.6.0.zip," suggest a targeted campaign against gamers, as they masquerade as cheats for games.

These ZIP files contained an MSI installer designed to execute the malicious Lua bytecode, which allows the malware to operate with greater stealth by avoiding detection through common scripting languages like WScript, JScript, or PowerShell. This method enhances the evasion capabilities of the malware, making it more difficult for traditional antivirus programs to detect and block.

Upon installation, the MSI prompts the user to share the software with friends to access an 'unlocked' version, a classic technique in malware spread aimed at maximizing its reach through social engineering. The installer contains a 'compiler.exe' executable that, when run, executes Lua bytecode embedded within a "readme.txt" file. This setup not only establishes persistence on the host system via a scheduled task but also drops a CMD file to facilitate further malicious activities under the guise of another executable, "NzUw.exe."

This executable then begins to communicate with the previously mentioned C2 server, performing tasks dictated from the server such as taking screenshots and sending them back, effectively functioning as a backdoor that could lead to further exploitation.

The distribution method of these ZIP files remains unclear, although there are indications that GitHub's search functionality might be exploited to lead unsuspecting users to these malware-laden repositories. This technique was highlighted earlier by Checkmarx and underscores the necessity for vigilance when downloading files even from trusted repositories.

This incident is part of a broader trend targeting the gaming community, as noted by Recorded Future, which detailed a Russian-language cybercrime operation using fake Web3 gaming projects to deliver similar types of malware. These projects manipulate slight name and branding changes to appear legitimate, supported by fake social media accounts to enhance their credibility. Users are lured to download files that infect their systems with various types of info-stealing malware, depending on their operating system.

In light of these sophisticated threats, gamers and other users must exercise extreme caution. To mitigate risks, it is advisable to:

1. Verify the authenticity of any download, especially those that appear to offer game cheats or enhancements.

2. Enable multi-factor authentication (MFA) where possible to secure online accounts.

3. Keep software and systems updated to protect against known vulnerabilities.

4. Be wary of unsolicited emails and links, even those that seem to originate from trusted sources.

5. Educate oneself about common tactics used in phishing and malware campaigns to better recognize and avoid them.

By understanding these threats and implementing robust security measures, users can better protect themselves from becoming victims of sophisticated cyber-attacks.