A new Lua-based malware loader emerged in March 2024, targeting the gaming community.
Despite efforts to reduce detection, it remains prevalent globally, where the loader often uses obfuscated Lua scripts for delivery, simplifying the attack process.
Lua malware often arrives as ZIP archives containing a Lua compiler, a runtime interpreter, an obfuscated script, and a batch file, which runs the compiler with the script as an argument, executing malicious code.
The batch file triggers a loader that connects to a C2 server, which sends tasks to the loader, categorized as Lua loader tasks for system manipulation and task payloads for payload management.
Attackers use SEO poisoning to push fake Solara and Electron cheat script ads, leading to malicious Lua scripts disguised as push requests on GitHub repositories.
The Compiler.exe utility loads the lua51.dll runtime interpreter to execute Lua scripts.
Initially, it processed Lua bytecode, but now it directly interprets plain Lua scripts to enhance flexibility and execute malicious logic dynamically.
The Lua script is obfuscated using Prometheus, making it difficult to understand, as previously decompiled bytecode files, but now the obfuscated script is directly used.
Beautification reveals similar string structures and deobfuscation allows for simple string extraction from memory.
It employs line detection to prevent reverse engineering. By intentionally triggering errors twice from distinct code sections, it compares the line numbers.
If they match, it indicates tampering and raises an alert, thwarting attempts to understand or modify the original code.
The attacker crafts a Lua function that intentionally throws an error to extract the line number of the error.
By comparing this line number with the previous one, the function can detect if the code has been modified or beautified, exploiting the `ffi` library for direct C code execution.
FFI, or Foreign Function Interface, enables Lua scripts to interact directly with C functions and data structures, which eliminates the need for C wrapper code, streamlining integration with C libraries and enhancing performance for operations that benefit from native C implementations.
The script loads modules from the PEB and extracts their export tables and then imports functions like `SHGetFolderPathW`, `RegCreateKeyExW`, and `WinExec` from modules such as `shell32.dll`, `advapi32.dll`, and `kernel32.dll`, respectively, for subsequent use in the script’s operations.
According to Morphisec, it also uses a named mutex for synchronization and persistence via scheduled tasks by gathering victim information like IP, location, and hardware details, encrypting them with a basic cipher, and transmitting them along with screenshots to the attacker’s C2 server.
The malware sends data to a server, which responds with either a block or instructions.
If blocked, the malware tries alternate addresses or retrieves a new one.
If successful, the malware saves the response, executes tasks, and sends a response back.
Also Read: