HQ/EMEAFind out how we can help your business
A new cybercriminal campaign is currently using game cheats to target gamers and academic organisations and infect them with the notorious Lua malware.
Initial reports revealed that these attacks take advantage of the popularity of Lua-based gaming engine extensions, which student players frequently utilise. Moreover, researchers discovered that the malware attacks target unwary on multiple continents, especially in North America, South America, Europe, Asia, and Australia.
However, the surprising discovery of the attack is that Lua malware’s transmission methods have simplified in recent months, potentially evading detection mechanisms. The assessment of the new malware stated that instead of using a compiled Lua bytecode, which can raise suspicion, the malware is deployed via disguised Lua scripts.
The Lua malware campaign’s vector for infection is malicious ZIP files.
According to investigations, the new Lua malware campaign operators typically send the payload as an installer or a ZIP archive. In addition, the attackers disguise the malware as game cheats or other gaming-related utilities to attract students looking to improve their gaming experience.
Once users download the infected file, typically from platforms like GitHub, they receive a ZIP archive containing four key components. The confirmed components are a runtime interpreter, a lightweight loader, an obfuscated Lua Script, and a batch file that executes the Lua script called Launcher.bat.
Compiler.exe, which loads Lua51.dll and interprets the obfuscated Lua script, is referred to in the batch file by the attackers after they have executed the loader. Following that, this malware exchanges detailed information about the compromised device with a C2 server.
The command-and-control server then responds with tasks that fall into two categories. The first category is the Lua Loader Tasks, which perform actions such as preserving persistence or concealing processes. The other one is Task Payloads, which instructs users on downloading and configuring new payloads.
Furthermore, these attacks employ search engine boosting strategies such as SEO poisoning, in which search engine results are configured to reach more people who could potentially be directed to malicious websites.
Gamer students and academic institutions related to the field should be wary of these activities. These targets should avoid suspicious downloads, especially the ones offering pirated tools such as cheats, to avoid getting infected by the new Lua malware.
