McAfee Uncovers Sophisticated Information Stealer Exploiting GitHub Repositories
Cybersecurity researchers at McAfee Labs have uncovered a new and sophisticated variant of the notorious RedLine Stealer malware that employs Lua bytecode for enhanced stealth and evasion capabilities. This advanced information-stealing malware targets gamers by masquerading as game cheats, distributed through ZIP archives hosted on official Microsoft repositories on GitHub.
First documented in March 2020, RedLine Stealer is a prevalent off-the-shelf malware strain capable of harvesting sensitive data from cryptocurrency wallets, VPN software, web browsers, and more. Over the years, various threat actors have co-opted this malware into their attack chains, making it a widespread threat across multiple continents.
Abusing Trust in GitHub Repositories
The latest infection sequence identified by McAfee abuses GitHub by uploading malware-laden payloads in the form of ZIP archives to two of Microsoft’s official repositories: the C++ Standard Library (STL) and vcpkg. This technique exploits the trust associated with these repositories, allowing threat actors to distribute malware more effectively. The ZIP files, disguised as game cheats named “Cheat.Lab.2.7.2.zip” and “Cheater.Pro.1.6.0.zip”, are no longer available for download from the Microsoft repositories.
Stealthy Execution and Persistence
The ZIP archives contain an MSI installer that runs the malicious Lua bytecode, providing a stealthy execution method by avoiding easily recognizable scripts. The installer also sets up persistence on the host using a scheduled task and drops a CMD file to run the malware under a different name, enhancing evasion capabilities.
Once executed, the malware functions as a backdoor, communicating with a command-and-control (C2) server over HTTP, which has been previously associated with RedLine Stealer. It can carry out tasks fetched from the C2 server, such as taking screenshots, and exfiltrate the results back to the server, compromising sensitive information.
This campaign highlights the evolving tactics employed by threat actors, including the abuse of trusted repositories and the use of stealthy execution methods like Lua bytecode. As the threat landscape continues to evolve, organizations and individuals must remain vigilant and implement robust security measures, including regular software updates, employee awareness training, and the deployment of advanced security solutions.
