Threat Research

Distribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project

Ahnlab
Distribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project

AhnLab ASEC found SmartLoader being widely distributed via GitHub repositories disguised as legitimate projects (game cheats, cracks, automation tools), where users download compressed files that deploy SmartLoader and additional payloads like Rhadamanthys. Infected systems persist via Task Scheduler, exfiltrate screenshots/system info, and fetch further loaders/tasks from C2 servers. #SmartLoader #Rhadamanthys

Keypoints

  • SmartLoader is distributed through GitHub repositories masquerading as legitimate projects (e.g., game cheats, cracks, automation tools) with convincing README and project files.
  • Downloaded archives contain four files: java.exe (luajit.exe legitimate), Launcher.cmd (malicious), lua51.dll (legitimate), and module.class (obfuscated malicious Lua).
  • Execution via Launcher.cmd loads the obfuscated Lua script with luajit.exe, activating SmartLoader and establishing persistence under %AppData%ODE3 and Task Scheduler entries like SecurityHealthService_ODE3.
  • SmartLoader captures screenshots and system information, sends them encrypted to a C2 (e.g., 89.169.13[.]215), and executes additional payloads based on JSON-configured loader/tasks from the C2.
  • Decoded tasks download and run payloads in memory, including adobe.lua (additional Lua loader) and shellcode payloads _x64.bin and _x86.bin identified as the Rhadamanthys infostealer.
  • Rhadamanthys injects into legitimate Windows processes (openwith.exe, dialer.exe, dllhost.exe, rundll32.exe) to exfiltrate credentials and sensitive data (email, FTP, online banking).
  • Multiple MD5 hashes and C2/HTTP URLs associated with SmartLoader campaigns were observed; users are advised to obtain software only from official, credible sources.

MITRE Techniques

  • [T1204] User Execution – Victims run Launcher.cmd following installation instructions in the README, causing the obfuscated Lua script to be loaded via luajit.exe (“Users follow the provided installation instructions and download the compressed file, which contains the malware.”).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys and Startup Folder – SmartLoader maintains persistence by copying files to %AppData%ODE3 and registering a Task Scheduler job “SecurityHealthService_ODE3” (“…copies the luajit.exe (ODE3.exe), module.class, and lua51.dll files to the “%AppData%ODE3” path and registers it in the Task Scheduler as “SecurityHealthService_ODE3”.”).
  • [T1059.007] Command and Scripting Interpreter: JavaScript/Powershell/Lua – Malicious Lua scripts (module.class, adobe.lua) are used to execute SmartLoader behavior and additional tasks (“…the obfuscated malicious Lua script is loaded through luajit.exe … SmartLoader is ultimately activated.”).
  • [T1041] Exfiltration Over C2 Channel – Screenshots and system information are transmitted to the C2 server in encoded/encrypted form (“Afterward, a screenshot of the infected PC and its system information are transmitted to the C2 server.”).
  • [T1071.001] Application Layer Protocol: Web Protocols – Communication with C2 uses HTTP endpoints (e.g., hxxp://89.169.13[.]215/api/…) to receive JSON loader/tasks and download payloads (“The response value is delivered in JSON format … tasks is a list of tasks to download and execute additional payloads.”).
  • [T1105] Ingress Tool Transfer – SmartLoader downloads additional payloads (adobe.lua, _x64.bin, _x86.bin) from GitHub/raw URLs provided in the tasks configuration (“tasks … link: “hxxps://github[.]com/…/log.txt” …”).
  • [T1055] Process Injection – Rhadamanthys performs injection into normal processes (openwith.exe, dialer.exe, dllhost.exe, rundll32.exe) to run and exfiltrate data (“Rhadamanthys performs injection into normal processes in Windows systems …”).

Indicators of Compromise

  • [IP Address] C2 servers and task endpoints – 89.169.13[.]215 (C2/api and tasks), 95.164.53[.]26 (C2 response).
  • [URL] Distribution and payload URLs hosted on GitHub – examples include hxxps://github[.]com/[Threat Actor Account]/Maple-Story-Menu/releases/download/v3.2.0/Maple.Story.Menu.v3.2.0.zip and hxxps://github[.]com/kishoq123/Netrunner-Os-Abiy/releases/download/nasosubnasal/log.txt.
  • [File Name] Malicious files inside archives – Launcher.cmd (malicious installer), module.class / adobe.lua (obfuscated Lua scripts), _x64.bin and _x86.bin (Rhadamanthys shellcode).
  • [Hash MD5] Sample file hashes observed – 2ed91e48a8a0b731ca3a3f6a7708256d, 4d744f3e77a4cb86a676da9c0a28b186, and 3 more hashes.

Read more: https://asec.ahnlab.com/en/89551/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint