A new variant of the well-known RedLine Stealer malware has been discovered, leveraging Lua bytecode for added stealth and sophistication, according to findings from McAfee Labs. This malware variant is disguised as game cheats, indicating that gamers are the primary targets of this campaign.

RedLine Stealer, first identified in March 2020, is generally delivered via email and malvertising campaigns. It is capable of harvesting information such as saved credentials, autocomplete data, credit card information, and geolocations from cryptocurrency wallets, VPN software, and web browsers.

The infection sequence identified by McAfee Labs abuses GitHub, using two of Microsoft's official repositories to host the malware-laden payload in the form of ZIP archives. The ZIP files, masquerading as game cheats, are fitted with an MSI installer designed to run the malicious Lua bytecode.

According to researchers Mohansundaram M. and Neil Tyagi, this approach provides the advantage of obfuscating malicious strings and avoiding the use of easily recognizable scripts, thereby enhancing stealth and evasion capabilities for the threat actor.

• The MSI installer displays a message urging the victim to share the program with their friends to get the unlocked version of the software.
• The "compiler.exe" executable within the installer runs the Lua bytecode embedded within the "readme.txt" file present in the ZIP archive, sets up persistence on the host using a scheduled task, and drops a CMD file.
• In the final stage, "NzUw.exe" initiates communications with a command-and-control (C2) server over HTTP, the aforementioned IP address attributed to RedLine.

The malware functions more like a backdoor, carrying out tasks fetched from the C2 server and exfiltrating the results back to it. The exact method by which the links to the ZIP archives are distributed is presently unknown.

This development comes as Recorded Future detailed a "large-scale Russian-language cybercrime operation" that singles out the gaming community and leverages fake Web3 gaming lures to deliver malware capable of stealing sensitive information from macOS and Windows users.

It also follows a wave of malware campaigns targeting enterprise environments with loaders such as PikaBot and a new strain called NewBot Loader. "Attackers demonstrated a diverse range of techniques and infection vectors in each campaign, aiming to deliver the PikaBot payload," McAfee said.