Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines

Oct. 9, 2024, 4:05 p.m.

Description

Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.

External References

https://blog.morphisec.com/threat-analysis-lua-malware
https://otx.alienvault.com/pulse/6706a3233a53473645b5a526
Tags
ransomware
powershell
redline
lua script
compiler
redline stealer
2024-10-09
morphisec
lua malware
lua loader
c2 lua
windows servers
linux server
prometheus
crypter

Date

  • Created: Oct. 9, 2024, 3:37 p.m.
  • Published: Oct. 9, 2024, 3:37 p.m.
  • Modified: Oct. 9, 2024, 4:05 p.m.

Indicators

  • e09370c9adc09c15eb8d05301bd3c74ef76e98b8a2fa2089df9c4ec5d7b4e047
  • b3ecbe4132598ef746e2111ba29f46af06886677d18595b6845849577121707a
  • afd731bb658525845c8ee4216b05ce0c9c8b2e8b745884fbefeb01ef331163a1
  • aecdaa94885c3fcd856c3516311bf366ac5ee13b43c28560eadc1f637efcf432
  • 9aacf8f59b8daff24161549378c95174dac40b2fb01d7b8a78b513d3d35f6411
  • 98418f7079cc11970899a18098425d22414663301dbbad1c892a8c702b90223f
  • 8e59a9de633fc1e0a9da10268c606b898e7d5a6645ee21851465e027aefbaec9
  • 3b515469aba46a0a08d8fcbd8feb98ce9bcebfa1a48d56be586dc9aa4584c0c2
  • 308721f4dc7818aed5f0282a3efa5944c1d16e97b0cb3bb5786009a186ea9791
  • 77.73.129.64
  • 212.193.4.66
  • 185.236.228.12
  • 185.221.198.82
  • 185.208.158.36
  • 146.19.128.146
  • solaraexec.cc
  • nickcano.com
  • electronexec.com
Download all indicators here!

Attack Patterns

  • Lua
  • T1113
  • T1573
  • T1102
  • T1027
  • T1059

Additional Informations

  • Gaming