Gamers seeking an edge through cheats have inadvertently downloaded Lua-based malware, researchers have discovered. The malware, designed to establish a persistent presence on the system and download further malicious payloads, exploits the popularity of Lua game engine scripts particularly within the student community, according to Morphisec researcher Shmuel Uzan.
In March 2024, OALabs first uncovered a campaign that deceived users by leveraging GitHub’s platform quirks to distribute the malicious Lua-written loader. McAfee Labs has also detailed how threat actors used GitHub to host malware-infested ZIP files disguised within legitimate-looking Microsoft repositories.
Cybersecurity Measures and Exploitation Techniques: GitHub responded by deactivating user accounts and content that violated its Acceptable Use Policies. “We continue to invest in improving our security measures to prevent such misuse,” a GitHub spokesperson told The Hacker News.
Morphisec’s follow-up analysis revealed a notable simplification in the malware’s delivery mechanism, likely an attempt to avoid detection. “The malware now uses obfuscated Lua scripts rather than the more easily detectable compiled Lua bytecode,” Uzan noted. The fraudulent operations typically target users through fake cheating script engines like Solara and Electron, directing them via Google search results to deceptive websites that host dangerous ZIP files.
Infection Mechanism and Malicious Activities: The ZIP file typically contains a Lua compiler, a runtime interpreter DLL, an obfuscated script, and a batch file that executes the script. Once activated, the Lua script communicates with a command-and-control server, transmitting details of the infected machine and receiving commands that can either maintain its presence, conceal processes, or fetch new payloads, such as the Redone Stealer or CypherIT Loader.
“Infostealers, like RedLine, are particularly dangerous as they extract user credentials for sale on the Dark Web, fueling further crimes,” added Uzan.
Broader Campaigns and Their Impact: The revelation follows a report by Kaspersky, which detailed a separate campaign targeting users downloading pirated software through Yandex. This campaign distributed a cryptocurrency miner via a compiled AutoIt binary. Similarly, Doctor Web highlighted a large-scale operation distributing SilentCryptoMiner and clipper malware via fake Microsoft Excel applications, game cheats, and online trading bots, affecting over 28,000 individuals across multiple countries, including Russia and Turkey.
The use of GitHub and YouTube by attackers underscores the ongoing challenge platforms face in curbing the use of their services for malware dissemination.