Recently, Morphisec Threat Labs uncovered sophisticated Lua malware variants targeting the educational sector, particularly the student gamer community. This malware is delivered via obfuscated Lua scripts and facilitates C2 communication to execute malicious tasks. The attacks exploit platforms like GitHub, and the malware is prevalent globally. Affected: educational sector, student gamer community
Keypoints :
- Morphisec Threat Labs identified multiple Lua malware variants aimed at the educational sector.
- The malware delivery method has evolved to include obfuscated Lua scripts to evade detection.
- Lua malware is often downloaded from platforms like GitHub as part of game cheats.
- The malware contains four primary components: a Lua compiler, Lua DLL, an obfuscated Lua script, and a batch file.
- Post-execution, the loader communicates with C2 servers to receive and execute tasks.
- The delivery techniques include SEO poisoning and advertisements for cheating script engines.
- Infostealers, such as Redline, are the final outcome of these attacks.
- Morphisecβs AMTD technology is effective in stopping these malware attacks at various stages.
MITRE Techniques :
- T1071: Application Layer Protocol β The malware establishes C2 communication using standard protocols.
- T1059.003: JavaScript β Lua scripts are executed and can be embedded within other files.
- T1027: Obfuscated Files or Information β The Lua scripts are obfuscated using the Prometheus obfuscator.
- T1046: Network Service Scanning β The scripts perform network checks to validate connections.
- T1543.003: Create or Modify System Process β The malware creates scheduled tasks for persistence.
- T1518.001: Software Discovery β Information about the victimβs system is collected and sent back to the attackers.
Indicator of Compromise :
- [IP Address] 77.73.129[.]64
- [IP Address] 185.221.198[.]82
- [IP Address] 146.19.128[.]146
- [Domain] solaraexec[.]cc
- [Domain] pastebin[.]com
Full Story: https://www.morphisec.com/blog/threat-analysis-lua-malware/