Redline Stealer: A Novel Strategy

0
37

[ad_1]

Authored by Mohansundaram M and Neil Tyagi

A brand new packed variant of the Redline Stealer trojan was noticed within the wild, leveraging Lua bytecode to carry out malicious habits.
McAfee telemetry knowledge reveals this malware pressure may be very prevalent, overlaying North America, South America, Europe, and Asia and reaching Australia.
An infection Chain
 

GitHub was being abused to host the malware file at Microsoft’s official account within the vcpkg repository https[:]//github[.]com/microsoft/vcpkg/recordsdata/14125503/Cheat.Lab.2.7.2.zip

McAfee Net Advisor blocks entry to this malicious obtain
Cheat.Lab.2.7.2.zip is a zipper file with hash 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610
The zip file accommodates an MSI installer.

The MSI installer accommodates 2 PE recordsdata and a purported textual content file.
Compiler.exe and lua51.dll are binaries from the Lua challenge. Nonetheless, they’re modified barely by a menace actor to serve their objective; they’re used right here with readme.txt (Which accommodates the Lua bytecode) to compile and execute at Runtime.
Lua JIT is a Simply-In-Time Compiler (JIT) for the Lua programming language.
The magic quantity 1B 4C 4A 02 sometimes corresponds to Lua 5.1 bytecode.
The above picture is readme.txt, which accommodates the Lua bytecode. This strategy gives the benefit of obfuscating malicious stings and avoiding using simply recognizable scripts like wscript, JScript, or PowerShell script, thereby enhancing stealth and evasion capabilities for the menace actor.
Upon execution, the MSI installer shows a consumer interface.

Throughout set up, a textual content message is displayed urging the consumer to unfold the malware by putting in it onto a pal’s laptop to get the total utility model.

Throughout set up, we will observe that three recordsdata are being written to Disk to C:program FilesCheat Lab Inc Cheat Lab path.

Beneath, the three recordsdata are positioned inside the brand new path.

 

Right here, we see that compiler.exe is executed by msiexec.exe and takes readme.txt as an argument. Additionally, the Blue Highlighted half reveals lua51.dll being loaded into compiler.exe. Lua51.dll is a supporting DLL for compiler.exe to perform, so the menace actor has shipped the DLL together with the 2 recordsdata.

Throughout set up, msiexec.exe creates a scheduled activity to execute compiler.exe with readme.txt as an argument.
Aside from the above method for persistence, this malware makes use of a 2nd fallback method to make sure execution.
It copies the three recordsdata to a different folder in program knowledge with a really lengthy and random path.

Word that the title compiler.exe has been modified to NzUW.exe.
Then it drops a file ErrorHandler.cmd at C:WindowsSetupScripts
The contents of cmd could be seen right here. It executes compiler.exe beneath the brand new title of NzUw.exe with the Lua byte code as a parameter.

Executing ErrorHandler.cmd makes use of a LolBin within the system32 folder. For that, it creates one other scheduled activity.

 

The above picture reveals a brand new activity created with Home windows Setup, which is able to launch C:Windowssystem32oobeSetup.exe with none argument.
Seems, when you place your payload in c:WINDOWSSetupScriptsErrorHandler.cmd, c:WINDOWSsystem32oobeSetup.exe will load it each time an error happens.

 
Supply: Add a Customized Script to Home windows Setup | Microsoft Study

c:WINDOWSsystem32oobeSetup.exe is anticipating an argument. When it’s not offered, it causes an error, which ends up in the execution of ErrorHandler.cmd, which executes compiler.exe, which hundreds the malicious Lua code.
We are able to verify this within the beneath course of tree.

We are able to verify that c:WINDOWSsystem32oobeSetup.exe launches cmd.exe with ErrorHandler.cmd script as argument, which runs NzUw.exe(compiler.exe)

It then checks the IP from the place it’s being executed and makes use of ip-API to realize that.

 

We are able to see the community packet from api-api.com; that is written as a JSON object to Disk within the inetCache folder.

We are able to see procmon logs for a similar.

We are able to see JSON was written to Disk.

C2 Communication and stealer exercise

Communication with c2 happens over HTTP.

We are able to see that the server despatched the duty ID of OTMsOTYs for the contaminated machine to carry out. (on this case, taking screenshots)
A base64 encoded string is returned.

An HTTP PUT request was despatched to the menace actors server with the URL /loader/display.
IP is attributed to the redline household, with many engines marking it as malicious.

Additional inspection of the packet reveals it’s a bitmap picture file.
The title of the file is Display.bmp
Additionally, notice the distinctive consumer agent used on this put request, i.e., Winter

After Dumping the bitmap picture useful resource from Wireshark to disc and opening it as a .bmp(bitmap picture) extension, we see.
The screenshot was despatched to the menace actors’ server.

Evaluation of bytecode File

It’s difficult to get the true decomplication of the bytecode file.
Many open supply decompilers had been used, giving a barely completely different Lua script.
The script file was not compiling and throwing some errors.

The script file was sensitized primarily based on errors in order that it could possibly be compiled.

One desk (var_0_19) is populated by passing knowledge values to 2 features.
Within the console output, we will see base64 encoded values being saved in var_0_19.
These base64 strings decode to extra encoded knowledge and to not plain strings.

All knowledge in var_0_19 is assigned to var_0_26

The identical method is populating 2nd desk (var_0_20)
It accommodates the substitution key for encoded knowledge.

The above pic is a decryption loop. It iterates over var_0_26 component by component and decrypts it.
This loop can also be very lengthy and accommodates many junk traces.
The loop ends with assigning the decrypted values again to var_0_26.

 

We place the breakpoint on line 1174 and watch the values of var_0_26.

As we hit the breakpoint a number of instances, we see extra encoded knowledge decrypted within the watch window.

 

We are able to see decrypted strings like Tamper Detected! In var_0_26

Loading luajit bytcode:
Earlier than loading the luajit bytecode, a brand new state is created. Every Lua state maintains its world surroundings, stack, and set of loaded libraries, offering isolation between completely different cases of Lua code.
It hundreds the library utilizing the Lua_openlib perform and hundreds the debug, io, math,ffi, and different supported libraries,
Lua jit bytecode loaded utilizing the luaL_loadfile export perform from lua51. It makes use of the fread perform to learn the jit bytecode, after which it strikes to the allotted reminiscence utilizing the memmove perform.
 
The bytecode from the readme. Textual content is moved randomly, altering the bytecode from one offset to a different utilizing the memmove API perform. The precise size of 200 bytes from the Jit bytecode is copied utilizing the memmove API perform.

It took desk values and processed them utilizing the beneath floating-point arithmetic and xor instruction.
It makes use of memmove API features to maneuver the bytes from the supply to the vacation spot buffer.
After additional evaluation, we discovered that c definition for variable and arguments which will likely be used on this script.
We’ve seen some API definitions, and it makes use of ffi for straight accessing Home windows API features from Lua code, examples of defining API features,
 
It creates the mutex with the title winter750 utilizing CreateMutexExW.
It Hundreds the dll at Runtime utilizing the LdrLoaddll perform from ntdll.dll. This perform known as utilizing luajit ffi.
It retrieves the MachineGuid from the Home windows registry utilizing the RegQueryValueEx perform through the use of ffi. Opens the registry key “SOFTWAREMicrosoftCryptography” utilizing RegOpenKeyExA—queries the worth of “MachineGuid” from the opened registry key.
It retrieves the ComputerName from the Home windows registry utilizing the GetComputerNameA perform utilizing ffi.
It gathers the next info and sends it to the C2 server.
It additionally sends the next info to the c2 server,

On this weblog, we noticed the varied strategies menace actors use to infiltrate consumer techniques and exfiltrate their knowledge.
Microsoft has since eliminated these recordsdata from the repositories.

Indicators of Compromise

Cheat.Lab.2.7.2.zip
5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610

Cheat.Lab.2.7.2.zip
https[:]//github[.]com/microsoft/vcpkg/recordsdata/14125503/Cheat.Lab.2.7.2.zip
 

lua51.dll
873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997

readme.txt
751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad

compiler.exe
dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a

Redline C2
213[.]248[.]43[.]58

Trojanised Git Repo
hxxps://github.com/microsoft/STL/recordsdata/14432565/Cheater.Professional.1.6.0.zip

 

Introducing McAfee+
Identification theft safety and privateness on your digital life

Obtain McAfee+ Now

x3Cimg top=”1″ width=”1″ type=”show:none” src=”https://www.fb.com/tr?id=766537420057144&ev=PageView&noscript=1″ />x3C/noscript>’);

[ad_2]