Threat Research

Redline Stealer: A Novel Approach

McAfee

McAfee observed a packed Redline Stealer variant distributed via trojanised GitHub repositories; the MSI installer drops a modified Lua JIT (compiler.exe + lua51.dll) and a readme.txt containing Lua bytecode that is compiled and executed at runtime to perform credential/theft activities. The payload achieves persistence via scheduled tasks and a Windows Setup error-handler abuse, collects system identifiers, and exfiltrates screenshots to an HTTP C2. #RedlineStealer #CheatLab

Keypoints

  • Threat actors hosted a malicious archive (Cheat.Lab.2.7.2.zip) inside a Microsoft vcpkg GitHub repository to lure users into installing the malware.
  • The ZIP contains an MSI which installs three files: compiler.exe, lua51.dll (modified), and readme.txt (contains Lua/JIT bytecode).
  • MSI execution runs compiler.exe (Lua JIT) with readme.txt as argument; the actor uses scheduled tasks plus a Windows Setup ErrorHandler trick for persistence and fallback execution.
  • The Lua bytecode is obfuscated and rearranged in memory (memmove/fread), then executed via LuaJIT with ffi calls to Windows APIs (CreateMutexExW, LdrLoadDll, RegQueryValueEx, GetComputerNameA) to perform discovery and collection.
  • C2 communication occurs over HTTP; the malware receives task IDs and uploads base64-encoded screenshots via HTTP PUT to /loader/screen (unique user-agent “Winter”).
  • Runtime techniques include shipping a trojanised lua51.dll to control execution, using legitimate binaries (msiexec.exe, oobeSetup.exe) as LOLBins, and storing JSON/metadata in inetCache.
  • IOC artifacts include file names, hashes, and C2 IPs (see Indicators of Compromise section for examples).

MITRE Techniques

  • [T1204] User Execution – Attackers abused a public GitHub repo to deliver malware: ‘GitHub is being abused to host the malware file at Microsoft’s official account in the vcpkg repository “https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip”‘
  • [T1140] Deobfuscate/Decode Files or Information – The actor stores malicious Lua bytecode in a text file and compiles it at runtime: ‘the Lua bytecode. This approach provides the advantage of obfuscating malicious stings and avoiding the use of easily recognizable scripts…’
  • [T1059] Command and Scripting Interpreter – Lua/JIT is used as the scripting/runtime engine to execute payload logic: ‘compiler.exe and lua51.dll are binaries … used here with readme.txt (Which contains the Lua bytecode) to compile and execute at Runtime.’
  • [T1053.005] Scheduled Task – Persistence is established via scheduled tasks created during installation: ‘msiexec.exe creates a scheduled task to execute compiler.exe with readme.txt as an argument.’
  • [T1218] Signed Binary Proxy Execution – Legitimate system binaries are used to proxy execution of the payload (LOLBin abuse): ‘Executing ErrorHandler.cmd uses a LolBin in the system32 folder.’
  • [T1574.002] Hijack Execution Flow: DLL Search Order Hijacking – A trojanised lua51.dll is shipped and loaded to ensure malicious code runs: ‘lua51.dll is a supporting DLL for compiler.exe to function, so the threat actor has shipped the DLL along with the two files.’
  • [T1027] Obfuscated Files or Information – Bytecode and memory operations are used to hide strings and logic (memmove/fread shuffling): ‘The bytecode from the readme. Text is moved randomly, changing the bytecode from one offset to another using the memmove API function.’
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communications and data exfiltration occur over HTTP (including PUT to upload screenshots): ‘Communication with c2 occurs over HTTP.’ and ‘An HTTP PUT request was sent to the threat actors server with the URL /loader/screen.’
  • [T1082] System Information Discovery – The Lua payload queries system identifiers from the registry and API calls (MachineGuid, ComputerName): ‘It retrieves the MachineGuid from the Windows registry using the RegQueryValueEx function…’ and ‘It retrieves the ComputerName from the Windows registry using the GetComputerNameA function…’

Indicators of Compromise

  • [File name] malicious archive / installer – Cheat.Lab.2.7.2.zip (contains the MSI and Lua/JIT components)
  • [File hash] installer / binaries – 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610 (Cheat.Lab.2.7.2.zip), 873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997 (lua51.dll), and 2 more hashes
  • [URL] hosting / trojanised repo – https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip, hxxps://github.com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
  • [IP address] C2 server – 213[.]248[.]43[.]58 (attributed to Redline family, used to receive tasks and accept uploaded screenshots)
  • [File name / resource] Lua bytecode and runtime files – readme.txt (contains Lua/JIT bytecode) – hash 751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad

McAfee’s analysis shows the technical infection path and runtime behavior as follows: attackers uploaded a trojanised archive to a GitHub vcpkg/STL repository containing an MSI. The MSI unpacks three artifacts (compiler.exe — a modified LuaJIT executable — lua51.dll — a trojanised supporting DLL — and readme.txt containing Lua bytecode). During install msiexec runs compiler.exe with readme.txt as an argument; compiler.exe loads lua51.dll and uses luaL_loadfile/fread to read the JIT bytecode, then memmove to rearrange and place portions of the bytecode into memory before executing it.

For persistence and stealth the installer creates scheduled tasks to run compiler.exe with the bytecode, and also copies the files to a randomized ProgramData path and drops C:WindowsSetupScriptsErrorHandler.cmd. A scheduled task launches C:Windowssystem32oobeSetup.exe (a legitimate binary), which triggers ErrorHandler.cmd when invoked without the expected argument — this chain executes the renamed compiler binary (NzUW/NzUw.exe) as a fallback. The Lua payload uses ffi to call Windows APIs directly (LdrLoadDll, CreateMutexExW, RegOpenKeyExA/RegQueryValueEx, GetComputerNameA) to load libraries, create mutex “winter750”, and gather identifiers such as MachineGuid and ComputerName.

At runtime the implant decodes layered-encoded strings (base64 and a custom substitution table), runs a decryption loop to obtain operational strings, and communicates with C2 over HTTP. The server issues task IDs (e.g., to capture screenshots); the client encodes images (base64) and sends them via HTTP PUT to /loader/screen using the “Winter” user-agent. Detection evasion includes storing bytecode in a text file, running LuaJIT to avoid common script interpreters, shipping a trojanised lua51.dll, and manipulating bytecode in memory to complicate static analysis.

Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint