Threat Research

Serious Threats: Lua Malware Aims at Educational Institutions and Student Gaming Platforms

Securonix

Morphisec Threat Labs analyzed a campaign delivering obfuscated Lua loaders (packed in ZIPs) that load lua51.dll via a small Compiler.exe to execute Prometheus-obfuscated Lua scripts which establish HTTP/S C2 communication and deploy payloads like CypherIT loaders and RedLine infostealers. The loaders use FFI to call Windows APIs, anti-beautify checks, mutexes, scheduled-task persistence, and fallback C2 retrieval (including pastebin) to maintain operations. #Lua #RedLine

Keypoints

  • Morphisec observed Lua-based loaders distributed in ZIP installers targeting gaming communities (Solara/Electron-themed lures).
  • The ZIP typically contains lua51.dll, a thin loader Compiler.exe, an obfuscated Lua script, and a Launcher.bat that launches the loader with script arguments.
  • Obfuscation with the Prometheus obfuscator and anti-beautify checks (line-number tamper detection) hinder static analysis and cause runtime errors if reformatted.
  • The Lua script uses the FFI library to call Windows APIs (shell32, advapi32, kernel32, wininet, etc.) by walking the PEB and using export tables.
  • Persistence is implemented by copying files to AppData and creating scheduled tasks (schtasks / Register-ScheduledTask) with randomized task names; elevated flows add Defender exclusions via PowerShell.
  • C2 is HTTP/S based: the loader sends encoded system data (MachineGuid, GUID, user, IP, geolocation, OS, architecture, screenshots) and receives JSON commands for ‘loader’ actions and ‘tasks’ to fetch payloads.
  • Final-stage payloads observed include CypherIT loader/crypter and RedLine infostealer; fallback C2 retrieval uses alternate addresses and pastebin raw content if blocked.

MITRE Techniques

  • [T1071] Application Layer Protocol – Used for C2: ‘Uses HTTP/S for communication with the C2 server.’
  • [T1027] Obfuscated Files or Information – Obfuscation to evade analysis: ‘Utilizes obfuscated Lua scripts to evade detection.’
  • [T1053] Scheduled Task/Job – Persistence mechanism: ‘Creates scheduled tasks for persistence.’
  • [T1003] Credential Dumping – Data theft objective: ‘Harvests credentials from the compromised machine.’
  • [T1486] Data Encrypted for Impact – Data protection prior to exfiltration: ‘Encrypts collected data before exfiltration.’

Indicators of Compromise

  • [IP Address] C2 and payload hosts – 77.73.129[.]64, 185.221.198[.]82 (Lua loader C2), and 6 more IPs
  • [Domain] Malicious/fake sites used for lure/distribution – solaraexec[.]cc, electronexec[.]com
  • [URL / Hosting] Payload and task config locations – github[.]com/user-attachments/files/17057089/SolaraV3.zip, github[.]com/user-attachments/files/16737781/Electron.zip
  • [Pastebin] C2 fallback retrieval – pastebin[.]com/raw/mmABULhh
  • [File name] Delivered archive contents / installers – SolaraV3.zip, Electron.zip
  • [Mutex] Runtime instance control – `1crorgz4bo93e47pxiiyklanj0mfswyjtxeg56nahc5sm58` (mutex string)
  • [Registry] Unique identifier harvested – ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography (MachineGuid)
  • [Hashes] Known artifacts – B3ecbe4132598ef7… (CypherIT), E09370c9adc09c15… (RedLine), and 8 more hashes

The technical attack flow begins with SEO-poisoned lures or fake executor sites linking to ZIP archives containing four components: lua51.dll (LuaJIT runtime), Compiler.exe (thin loader), an obfuscated Lua script (Prometheus), and a Launcher.bat that runs Compiler.exe with the script as an argument. Compiler.exe dynamically loads lua51.dll, invokes exported SDK functions and passes the obfuscated script to the Lua runtime (now plain obfuscated script rather than bytecode), allowing the malware to interpret malicious logic at runtime instead of executing compiled bytecode that might trigger suspicion.

The obfuscated script employs Prometheus anti-reformatting checks (line-number tamper detection) and uses Lua’s FFI to execute native C calls by walking the PEB and resolving exports, enabling direct use of Windows APIs (shell32, advapi32, kernel32, wininet, shlwapi, etc.). Runtime behavior includes mutex creation, gathering MachineGuid and system metadata, validating network access (e.g., microsoft.com), taking screenshots, encoding collected data with a simple stream/XOR-plus-addition cipher then Base64, and POSTing to an HTTP/S C2. The server responds with either “blocked” or a JSON payload containing ‘loader’ commands (hide, relaunch, persistence, defender bypass) and ‘tasks’ that specify download links, target paths, execution methods (exe, DLL export, ps1, cmd), and configurations.

For persistence the script copies artifacts to C:Users\AppDataLocal and creates scheduled tasks (schtasks / Register-ScheduledTask) with randomized task names; elevated executions can run PowerShell to add Microsoft Defender exclusions. Payload delivery chains observed include CypherIT loader/crypter and RedLine infostealer; if primary C2 addresses are blocked the loader attempts alternates and finally a pastebin raw URL to retrieve a new C2 before terminating if all fail. Analysts should focus on detecting the ZIP-based installer pattern, abnormal lua51.dll/Compiler.exe parent-child activity, Prometheus-style single-line scripts and anti-beautify errors, FFI calls to Windows APIs, scheduled-task creation patterns, and outbound HTTP/S posts containing Base64-encoded MachineGuid-based identifiers.

Read more: https://blog.morphisec.com/threat-analysis-lua-malware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint