blog.morphisec.com
Open in
urlscan Pro
2606:2c40::c73c:671f
Public Scan
URL:
https://blog.morphisec.com/threat-analysis-lua-malware
Submission Tags: @nominet_threat_intel ip-string-1st reference_article_link confidence_medium cluster_87925943 Search All
Submission: On October 09 via api from GB — Scanned from GB
Submission Tags: @nominet_threat_intel ip-string-1st reference_article_link confidence_medium cluster_87925943 Search All
Submission: On October 09 via api from GB — Scanned from GB
Form analysis 4 forms found in the DOM
/hs-search-results
<form action="/hs-search-results" data-cb-wrapper="true" data-hs-cf-bound="true">
<input type="text" class="hs-search-field__input form-control" name="term" placeholder="Search" autocomplete="off" aria-label="Search">
</form>/hs-search-results
<form action="/hs-search-results" data-cb-wrapper="true" data-hs-cf-bound="true">
<input type="text" class="hs-search-field__input form-control" name="term" placeholder="Search" autocomplete="off" aria-label="Search">
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1534169/37b11fda-a2aa-4805-9c0e-bae8eaccd6b7
<form id="hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1534169/37b11fda-a2aa-4805-9c0e-bae8eaccd6b7"
class="hs-form-private hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7 hs-form-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7 hs-form-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_97befbbd-a4a7-4a6a-9d43-2c678f5ea200 hs-form stacked hs-custom-form"
target="target_iframe_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597" data-instance-id="97befbbd-a4a7-4a6a-9d43-2c678f5ea200" data-form-id="37b11fda-a2aa-4805-9c0e-bae8eaccd6b7" data-portal-id="1534169"
data-test-id="hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field smart-field"><label id="label-firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597" class="" placeholder="Enter your "
for="firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597" name="firstname" required="" placeholder="First Name*" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field smart-field"><label id="label-lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597" class="" placeholder="Enter your "
for="lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597" name="lastname" required="" placeholder="Last Name*" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
</div>
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597" class="" placeholder="Enter your " for="email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597" name="email" required="" placeholder="Email*" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_company hs-company hs-fieldtype-text field hs-form-field smart-field"><label id="label-company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597" class="" placeholder="Enter your "
for="company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597" name="company" required="" placeholder="Company*" type="text" class="hs-input" inputmode="text" autocomplete="organization" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1728487344816","formDefinitionUpdatedAt":"1724683265867","lang":"en","isLegacyThemeAllowed":"true","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36","pageTitle":"Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines","pageUrl":"https://blog.morphisec.com/threat-analysis-lua-malware","pageId":"180426032289","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://blog.morphisec.com/threat-analysis-lua-malware","contentType":"blog-post","hutk":"0f27b00ed51c22da6e154cff47387a21","__hsfp":3754766307,"__hssc":"182053752.1.1728487358722","__hstc":"182053752.0f27b00ed51c22da6e154cff47387a21.1728487358722.1728487358722.1728487358722.1","formTarget":"#hs_form_target_module_1541132004988163","formInstanceId":"9597","rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"f261fc0cd157704da9e1cf40140ccb36","pageName":"Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines","rumScriptExecuteTime":3683.8999996185303,"rumTotalRequestTime":17289.89999961853,"rumTotalRenderTime":17317.89999961853,"rumServiceResponseTime":13606,"rumFormRenderTime":28,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1728487359301,"originalEmbedContext":{"portalId":"1534169","formId":"37b11fda-a2aa-4805-9c0e-bae8eaccd6b7","region":"na1","target":"#hs_form_target_module_1541132004988163","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"9597","formsBaseUrl":"/_hcms/forms","css":"","inlineMessage":"Thanks for submitting the form.","isMobileResponsive":true,"rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"f261fc0cd157704da9e1cf40140ccb36","pageName":"Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines","pageId":"180426032289","contentType":"blog-post","formData":{"cssClass":"hs-form stacked hs-custom-form"},"isCMSModuleEmbed":true},"correlationId":"97befbbd-a4a7-4a6a-9d43-2c678f5ea200","renderedFieldsIds":["firstname","lastname","email","company"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.6227","sourceName":"forms-embed","sourceVersion":"1.6227","sourceVersionMajor":"1","sourceVersionMinor":"6227","allPageIds":{"embedContextPageId":"180426032289","analyticsPageId":"180426032289","contentPageId":180426032289,"contentAnalyticsPageId":"180426032289"},"_debug_embedLogLines":[{"clientTimestamp":1728487358297,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1728487358298,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines\",\"pageUrl\":\"https://blog.morphisec.com/threat-analysis-lua-malware\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36\",\"pageId\":\"180426032289\",\"contentAnalyticsPageId\":\"180426032289\",\"contentPageId\":180426032289,\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1728487358299,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"GB\""},{"clientTimestamp":1728487358735,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"0f27b00ed51c22da6e154cff47387a21\",\"canonicalUrl\":\"https://blog.morphisec.com/threat-analysis-lua-malware\",\"contentType\":\"blog-post\",\"pageId\":\"180426032289\"}"}]}"><iframe
name="target_iframe_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_9597" style="display: none;"></iframe>
</form>/hs-search-results
<form data-hs-do-not-collect="true" action="/hs-search-results" data-cb-wrapper="true">
<input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Keyword...">
<input type="hidden" name="type" value="SITE_PAGE">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="type" value="LISTING_PAGE">
</form>Text Content
Recent Webinar: Building an Adaptive Cyber Resilient Cloud
Watch now
* Support
* Partners
* Under Attack?
* Products
* Product Overview
* Morphisec for Managed Services
* Adaptive Exposure Management
* Morphisec for Windows Endpoints
* Morphisec for Windows Servers & Workloads
* Morphisec for Linux Server Protection
* Incident Response Services
* About Moving Target Defense
* Solutions
* By Industry
* Managed Services
* Finance
* Hedge Funds
* Healthcare
* Technology
* Manufacturing
* Legal
* K-12 Education
* SMB
* By Use Case
* Microsoft Defender AV
* Microsoft Defender for Endpoint
* Virtual Desktop Protection
* Cloud Workload Protection
* Remote Employee Security
* Ransomware Prevention
* Virtual Patching and Compliance
* Supply Chain Attack Protection
* Browser Attack Protection
* Company
* About Us
* News & Events
* Careers
* Contact Us
* Resources
* Blog
* Learning Center
* Customer Stories
Read the Blog
Get A Demo
* Products
* Main Menu
* Products
* Product Overview
* Adaptive Exposure Management
* Morphisec for Windows Endpoints
* Morphisec for Windows Servers & Workloads
* Morphisec for Linux Server Protection
* Incident Response Services
* About Moving Target Defense
* Solutions
* Main Menu
* Solutions
* By Industry
* Finance
* Hedge Funds
* Healthcare
* Technology
* Manufacturing
* Legal
* K-12 Education
* SMB
* By Use Case
* Microsoft Defender AV
* Microsoft Defender for Endpoint
* Virtual Desktop Protection
* Cloud Workload Protection
* Remote Employee Security
* Ransomware Prevention
* Virtual Patching and Compliance
* Supply Chain Attack Protection
* Browser Attack Protection
* Company
* Main Menu
* Company
* About Us
* News & Events
* Careers
* Contact Us
* Resources
* Main Menu
* Resources
* Learning Center
* Customer Stories
* Blog
* Support
* Partners
* Under Attack?
* Read the Blog
* Get A Demo
Cybersecurity Blog
Cybersecurity News, Threat Research, and more from the Team Spearheading the
Evolution of Endpoint Security
NOT ALL FUN AND GAMES: LUA MALWARE TARGETS EDUCATIONAL SECTOR AND STUDENT GAMING
ENGINES
Posted by Shmuel Uzan on October 8, 2024
*
* Share
*
Recently, Morphisec Threat Labs identified and prevented multiple sophisticated
Lua malware variants targeting the educational sector. These attacks capitalize
on the popularity of Lua gaming engine supplements within the student gamer
community.
INTRODUCTION
In March 2024, OALabs reported on a new packed Lua loader aimed at the gaming
community. This report was followed in April by additional threat insights by
McAfee. In the months since, Morphisec Threat Labs observed its continued spread
and evolution, with telemetry data indicating that this malware strain is highly
prevalent across North America, South America, Europe, Asia, and even Australia.
This post provides an analysis of the loader associated with this persistent
attack.
Over the past year, the delivery of Lua malware appears to have undergone
simplification, possibly to reduce exposure to detection mechanisms. The malware
is frequently delivered using obfuscated Lua scripts instead of compiled Lua
bytecode, as the latter can trigger suspicion more easily.
We would like to credit @Herrcore for their assistance in some of the
deobfuscation efforts.
TECHNICAL INTRODUCTION
We have observed that users searching for game cheats often end up downloading
files from platforms like GitHub or similar sources. Today, Lua malware is
typically delivered in the form of an installer or a ZIP archive. The ZIP
archive usually contains four components: a Lua compiler, a Lua DLL file, an
obfuscated Lua script, and a batch file. The batch file executes the Lua script
by passing arguments to the Lua compiler.
* Lua51.dll - LuaJIT Runtime interpreter
* Compiler.exe - a thin compiled Lua loader
* Lua script – Malicious Lua script
* Launcher.bat - Batch script used to run Compiler.exe with the malicious
script as parameter
Post execution of the batch file, the loader establishes communication with a C2
server, sending details about the infected machine. In response, the server
provides tasks divided into two categories: Lua loader tasks, which involve
actions such as maintaining persistence or hiding processes, and task payloads,
which focus on downloading new payloads and applying configurations to them.
We will get into more details throughout this post.
DELIVERY TECHNIQUES
The delivery techniques, such as SEO poisoning, remain largely unchanged from
those previously described by OALabs and McAfee. Notably, we identified an
advertisement for the Solara and Electron executors - popular cheating script
engines frequently associated with Roblox—leading to various Lua malware
variants hosted across multiple GitHub repositories.
Most of the download links are associated with github.com/user-attachments push
requests.
COMPILER.EXE AND LUA51.DLL
The lua51.dll is a widely recognized runtime interpreter for Lua, often employed
as an “SDK” to extend the functionality of existing software through an
accessible and flexible scripting engine.
The Compiler.exe acts as a lightweight loader, responsible for loading lua51.dll
and invoking its “SDK” exported functions to process the specified script. In
earlier campaigns, Compiler.exe was designed to load and execute Lua bytecode
using lua51.dll. However, in the more recent campaigns, it loads a plain Lua
script file instead, leveraging Lua's runtime capabilities to interpret the
obfuscated script dynamically, allowing for greater flexibility in executing
malicious logic.
LUA SCRIPT (CONFIG)
As previously identified by OALabs, the script is obfuscated using the
Prometheus obfuscator. In their analysis, they needed to decompile the bytecode;
however, in the recent campaigns described here, the parameter is no longer a
bytecode file but rather a directly obfuscated script file.
Prometheus Obfuscator is a tool designed to enhance software security by
employing advanced obfuscation techniques. Its primary purpose is to protect
applications from reverse engineering and unauthorized access, making it
significantly more difficult for researchers to analyze and understand the code.
With capabilities such as code transformation and control flow obfuscation,
Prometheus ensures that the underlying logic remains concealed from scrutiny.
The content of the Lua obfuscated script is seen below:
A simple beautification of the script will result in (similar string structure
is identified at the bytecode file samples):
Post deobfuscation, we can easily dump the strings from memory:
ANTI-REVERSING
The obfuscated code is initially written in a single line, and when using
formatting tools to reorganize the code structure for readability, an error
message “Tamper Detected!” appears during code execution.
The obfuscator's method involves line detection, where it deliberately triggers
an error at least twice from different locations. It then verifies whether the
line numbers are the same for both areas of the code.
An example that demonstrates the technique:
1. The attacker defines a function that deliberately throws an error (division
by zero).
2. The function throws an error and parses the line of the error to know from
which line in the code it occurred. The pcall function makes a call to
another function and returns an array. The first element indicates success,
and the second element contains the error message if it failed. In this
case, the error format in Lua is structured as
`filename:line_number:message`.
3. An additional inline function is generated to ensure that the error is
thrown from a different location in the code. Upon execution the function
checks whether the line number in the error message matches the previous
line number to determine if the code has been edited.
Prometheus obfuscator implementation for this anti-reformatting /
anti-beautify functionality is well described here.
The attacker utilizes the `ffi` library for the direct execution of C code.
WHAT IS FFI?
The FFI library allows Lua code to call C functions and use C data structures
directly without needing to write C wrapper code. This is particularly useful
for integrating Lua with C libraries or for improving the performance of certain
operations by leveraging native C functions.
IMPORT MODULES AND FUNCTIONS
The script imports the modules by traversing the PEB (Process Environment
Block), and then uses the module's EXPORT table:
Module
Functions
shell32.dll
SHGetFolderPathW , SHCreateDirectoryExW , PathFileExistsW
advapi32.dll
RegCreateKeyExW , RegSetValueExW , RegCloseKey , RegGetValueW , RegCreateKeyExW
,
RegSetValueExW , RegCloseKey , RegGetValueW , RegGetValueW , RegQueryValueExW ,
OpenProcessToken , GetTokenInformation , CryptAcquireContextW , CryptGenRandom
,
CryptReleaseContext , GetUserNameW
shlwapi.dll
PathFileExistsW
winbrand.dll
BrandingFormatString
kernel32.dll
WinExec , CreateMutexW , SetFileAttributesW , GetModuleFileNameW , CopyFileW
wininet.dll
InternetOpenW , InternetConnectW , HttpOpenRequestW , InternetOpenUrlW ,
HttpSendRequestW , InternetReadFile , InternetCloseHandle
MUTEX-BASED
The script uses a mutex using a long constant string
In some cases, this string includes a concatenated, predefined number.
PERSISTENCE
The script establishes persistence by generating a random task name from a
predefined list using the following command:
`schtasks /create /sc daily /st %02d:%02d /f <Name> /tn <App> /tr <Path>`
Potential task name list:
INFORMATION GATHERING
In the first stage, the script sets the same name for the `UserAgent` as the one
defined for the `mutex`, then initiates a GET request to
`http://ip-api[.]com/json/` to retrieve information about the victim. During
this process, the script validates network connection by attempting to
communicate with `https://www.microsoft.com`.
Then the script retrieves the `MachineGuid` from the attacker's machine (located
at `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography`). This string
is concatinated along with the `loaderId`, `GUID`, `computer name`, `user name`,
`IP`, `country`, `city`, `timezone`, `operating system`, and `architecture`.
Afterward, the script encodes the string using a simple symmetric encryption
method that combines a basic form of a stream cipher or XOR cipher with byte
addition. After encryption, the script converts the bytes to Base64 format.
Finally, the script captures a screenshot of the compromised computer and sends
the adversary C2, the collected data from the computer along with screenshots.
C2 COMMUNICATION
After the data is sent to the attacker's server, the server can respond in one
of two ways:
1. Blocked – indicating the request is denied.
2. JSON Response – commands of the following categories; `loader` and `tasks`.
* Loader - These are actions for the "lua loader" to execute, such as
hiding, restarting, maintaining persistence, etc.
* Tasks - These are meant to load additional payloads and define which
configurations should be applied when loading them.
If the server returns a "blocked" response, the malware attempts to connect to
an alternate predefined address. If that is also blocked, it accesses
pastebin[.]com/raw/mmABULhh to retrieve a new address. If all attempts fail, the
process terminates.
If a valid response is received, the `lua loader` saves the output in the
`C:\Users\<User>\Pictures\` folder, using the machine’s `GUID` as the filename.
After saving the file, the loader executes the required tasks and then sends a
response back to the server with the task ID (that was initially provided.
The payloads are CypherIT Loader / Crypter , Redline).
LOADER CONFIG
Command
Description
bypass_defender
`powershell "Start-Process <#rand name> powershell <#rand name> -Verb <#rand
name> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath
$env:SystemDrive -ExclusionExtension .exe, .dll -Force`
autorun
Create task
`schtasks /create /sc daily /st <time> /f /tn <generated name> /tr "<compiler
file> <script file>"`
relaunch
implements a delay using a loop (`Sleep (1000);`)
tablet
pop up message with `MessageBoxW`
hide
Set `SetFileAttributesW` to flag
`FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM` to files
persistence
The script copies itself files to the directory
`C:\Users\john\AppData\Local\<folder>\` and creates a scheduled task using the
following command:
`schtasks /create /sc daily /st <time> /f /tn <generated name> /tr "<compiler
file> <script file>"`
If the current process has elevated privileges, additional steps are taken to
bypass Windows Defender.
`powershell -WindowStyle hidden Add-MpPreference -ExclusionPath <path> -Force`
TASK CONFIG
Command
Description
id
Task number
link
Link to download additional payloads
file_path
which folder to write (`AppData,Desktop ..`)
file_name
File location to be written
start
Whether to run the file or not
`exe` - create task and run `powershell -Command \"Register-ScheduledTask
-TaskName 'task' -Action (New-ScheduledTaskAction -Execute '<task>') -Trigger
(New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings
(New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries
-DontStopIfGoingOnBatteries -StartWhenAvailable) -Force\""`
or using `WinExec`
`DLL` - using `loadlibrary` and export function in `cfg` (run time)
or run command `rundll32 <dll>, <export>`
`ps1` - `powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File <file>`
`cmd` or `bat` - `cmd /c <file>`
autorun
execute the file with task
hide
Set `SetFileAttributesW` to flag `FILE_ATTRIBUTE_HIDDEN` to files
pump
increase the size of file
dll_loader
using for loading DLL file and specific export
query
If there is a query for the link
Python code snippet for decoding the strings:
CONCLUSION
Based on our investigation, the malware ultimately leads to the deployment of
Infostealers, notably Redline Infostealers. Infostealers are gaining prominence
in the landscape as the harvested credentials from these attacks are sold to
more sophisticated groups to be used in later stages of the attack. Redline
notably has a huge market in Dark web selling these harvested credentials.
HOW MORPHISEC HELPS
Automated Moving Target Defense (AMTD) from Morphisec effectively stops malware
attacks at various stages of the attack chain. Morphisec doesn’t rely on
signature or behavioral patterns. Instead, it uses its patented AMTD technology
to prevent the attack at its earliest stages, preemptively blocking attacks on
memory and applications, and effectively remediating the need for response.
Schedule a demo today to see how Morphisec stops Lua malware and other new and
emerging threats.
IOCS
77.73.129[.]64
C2 Lua loader
185.221.198[.]82
C2 lua loader
146.19.128[.]146
C2 Lua loader
212.193.4[.]66
C2 Lua loader
185.236.228[.]12
RedLine
185.208.158[.]36
RedLine
Solaraexec[.]cc
Fake website
electronexec[.]com
Fake website
github[.]com/user-attachments/files/16201677/getter.json
Task Payload
github[.]com/user-attachments/files/16968308/socket.json
Task Payload
github[.]com/user-attachments/files/17057089/SolaraV3.zip
Lua Loader
github[.]com/user-attachments/files/16737781/Electron.zip
Lua Loader
`schtasks /create /sc daily /st <time> /f /tn <generated name> /tr "<compiler
file> <script file>"`
`powershell -Command \"Register-ScheduledTask -TaskName 'task' -Action
(New-ScheduledTaskAction -Execute '<task>') -Trigger (New-ScheduledTaskTrigger
-At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet
-AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable)
-Force\""`
Persistent
pastebin[.]com/raw/mmABULhh
C2 lua loader
`1crorgz4bo93e47pxiiyklanj0mfswyjtxeg56nahc5sm58`
Mutex
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
Registry
HASHES
B3ecbe4132598ef746e2111ba29f46af06886677d18595b6845849577121707a
CypherIT
3B515469ABA46A0A08D8FCBD8FEB98CE9BCEBFA1A48D56BE586DC9AA4584C0C2
CypherIT
308721F4DC7818AED5F0282A3EFA5944C1D16E97B0CB3BB5786009A186EA9791
CyperIT
B3ECBE4132598EF746E2111BA29F46AF06886677D18595B6845849577121707A
CyperIT
98418f7079cc11970899a18098425d22414663301dbbad1c892a8c702b90223f
Lua Loader
9aacf8f59b8daff24161549378c95174dac40b2fb01d7b8a78b513d3d35f6411
Lua Loader
Afd731bb658525845c8ee4216b05ce0c9c8b2e8b745884fbefeb01ef331163a1
Lua Loade
8e59a9de633fc1e0a9da10268c606b898e7d5a6645ee21851465e027aefbaec9
Lua Loade
AECDAA94885C3FCD856C3516311BF366AC5EE13B43C28560EADC1F637EFCF432
Lua Loade
E09370c9adc09c15eb8d05301bd3c74ef76e98b8a2fa2089df9c4ec5d7b4e047
Redline
RESOURCES
* GitHub Bug Used to Infect Game Hackers With Lua Malware (openanalysis.net)
* Redline Stealer: A Novel Approach (mcafee.com)
* Hooking LuaJIT (nickcano.com)
* Threat Thursday: SunSeed Malware Targets Ukraine Refugee Aid Efforts
(blackberry.com)
SUBSCRIBE TO OUR BLOG
Stay in the loop with industry insight, cyber security trends, and cyber attack
information and company updates.
SEARCH OUR SITE
RECENT POSTS
* Not All Fun and Games: Lua Malware Targets Educational Sector and Student
Gaming Engines
* How AI-Enabled Capabilities are Transforming Cybersecurity
* Endpoint Security Deep Dive: Key Technology including AMTD is Shaping the
Future of Proactive Defense
* Threat Analysis: Morphisec Protects Against PEAKLIGHT In-Memory Malware
* Vulnerability Whisperer: Turning Headaches to High-Fives
* Decoding the Puzzle: Cicada3301 Ransomware Threat Analysis
* Preventing Threats Before Infiltration: Morphisec AMTD in Action
* From Trading Floors to ATMs: 5 Unexpected Cyber Exposure Challenges in
Finance
* Staying One Step Ahead: The Ultimate Anti-Ransomware Assurance Checklist
* AMTD Featured in Gartner® Hype Cycle™ for Endpoint and Workspace Security,
2024
POSTS BY TAG
* Automated Moving Target Defense (150)
* Cyber Security News (131)
* Threat Research (131)
* Morphisec Labs (120)
* Morphisec News (55)
* Defense-in-Depth (12)
* Gartner (9)
* Adaptive Exposure Management (8)
* Continuous Threat Exposure Management (CTEM) (8)
* Ransomware (8)
* In-Memory Attacks (7)
* Threat and Vulnerability Management (5)
* Microsoft (4)
* Runtime Attacks (4)
* Advanced Threat Defense (3)
* ChatGPT (3)
* Evasive Loader (3)
* Fileless Malware (3)
* Financial Cybersecurity (3)
* Legacy Security (3)
* Linux Cybersecurity (3)
* Product Blogs (3)
* Healthcare Cybersecurity (2)
* Patch Management (2)
* Anti-tampering (1)
* Artificial Intelligence (1)
* IoT Security (1)
* Managed Service Providers (1)
* Server Security (1)
See all
* Products
* Product Overview
* Morphisec for Managed Services
* Morphisec for Windows Endpoints
* Morphisec for Windows Servers & Workloads
* Morphisec for Linux Server Protection
* Morphisec Vulnerability Visibility & Prioritization
* Incident Response Services
* About Moving Target Defense
* Solutions By Industry
* Managed Services
* Banking & Finance
* Hedge Funds
* Healthcare
* Technology
* Manufacturing
* Legal
* K-12 Education
* SMB
* Solutions by Use Case
* Microsoft Defender for Endpoint
* Microsoft Defender AV
* Virtual Desktop Protection
* Ransomware Protection
* Supply Chain Attack Protection
* Cloud Workload Protection
* Remote Employee Security
* Virtual Patching & Compliance
* Browser Attack Protection
* Company
* About Us
* News & Events
* Careers
* Blog
* Support
* Partners
* Contact Us
* Privacy & Legal
* Contact Sales
* Inquire via Azure
*
*
*
© 2024 Morphisec Ltd. | All rights reserved
Privacy policy |
WE USE COOKIES
We may place these for analysis of our visitor data, to improve our website,
show personalised content and to give you a great website experience. For more
information about the cookies we use open the settings.
Your consent and the cookie policy apply to all websites of "Morphisec Group",
including: morphisec.com, Engage Morphisec, Morphisec Blog.
Deny
No, adjust
Accept all