{"id":188873,"date":"2024-04-17T11:19:09","date_gmt":"2024-04-17T18:19:09","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=188873"},"modified":"2024-04-19T12:05:03","modified_gmt":"2024-04-19T19:05:03","slug":"redline-stealer-a-novel-approach","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/","title":{"rendered":"Redline Stealer: A Novel Approach"},"content":{"rendered":"<p><em>Authored by Mohansundaram M and Neil Tyagi<\/em><\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-188874 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/1.jpg\" alt=\"\" width=\"172\" height=\"172\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/1.jpg 172w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/1-150x150.jpg 150w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/1-129x129.jpg 129w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/1-24x24.jpg 24w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/1-48x48.jpg 48w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/1-96x96.jpg 96w\" sizes=\"auto, (max-width: 172px) 100vw, 172px\" \/><\/center><br \/>\nA new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform malicious behavior.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-188889 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/2.jpg\" alt=\"\" width=\"851\" height=\"436\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/2.jpg 851w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/2-300x154.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/2-768x393.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/2-205x105.jpg 205w\" sizes=\"auto, (max-width: 851px) 100vw, 851px\" \/><\/center>McAfee telemetry data shows this malware strain is very prevalent, covering North America, South America, Europe, and Asia and reaching Australia.<\/p>\n<h2 style=\"text-align: left;\"><strong>Infection Chain<\/strong><\/h2>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-188904 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/3.jpg\" alt=\"\" width=\"681\" height=\"383\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/3.jpg 681w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/3-300x169.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/3-205x115.jpg 205w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/center>&nbsp;<\/p>\n<ul>\n<li>GitHub was being abused to host the malware file at Microsoft&#8217;s official account in the vcpkg repository <em><u>https[:]\/\/github[.]com\/microsoft\/vcpkg\/files\/14125503\/Cheat.Lab.2.7.2.zip<\/u><\/em><\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-188919 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/4.jpg\" alt=\"\" width=\"732\" height=\"424\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/4.jpg 732w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/4-300x174.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/4-205x119.jpg 205w\" sizes=\"auto, (max-width: 732px) 100vw, 732px\" \/><\/center><\/p>\n<ul>\n<li>McAfee Web Advisor blocks access to this malicious download<\/li>\n<li>Cheat.Lab.2.7.2.zip is a zip file with hash 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610<\/li>\n<li>The zip file contains an MSI installer.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189740 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/5-1.jpg\" alt=\"\" width=\"736\" height=\"229\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/5-1.jpg 736w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/5-1-300x93.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/5-1-205x64.jpg 205w\" sizes=\"auto, (max-width: 736px) 100vw, 736px\" \/><\/center><\/p>\n<ul>\n<li>The MSI installer contains 2 PE files and a purported text file.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189755 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/6-1.jpg\" alt=\"\" width=\"936\" height=\"350\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/6-1.jpg 936w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/6-1-300x112.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/6-1-768x287.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/6-1-205x77.jpg 205w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/center><\/li>\n<li>Compiler.exe and lua51.dll are binaries from the Lua project. However, they are modified slightly by a threat actor to serve their purpose; they are used here with readme.txt (Which contains the Lua bytecode) to compile and execute at Runtime.<\/li>\n<li>Lua JIT is a Just-In-Time Compiler (JIT) for the Lua programming language.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189770 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/7-1.jpg\" alt=\"\" width=\"1005\" height=\"450\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/7-1.jpg 1005w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/7-1-300x134.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/7-1-768x344.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/7-1-205x92.jpg 205w\" sizes=\"auto, (max-width: 1005px) 100vw, 1005px\" \/><\/center><\/li>\n<li>The magic number <strong>1B 4C 4A 02<\/strong> typically corresponds to Lua 5.1 bytecode.<\/li>\n<li>The above image is readme.txt, which contains the Lua bytecode. This approach provides the advantage of obfuscating malicious stings and avoiding the use of easily recognizable scripts like wscript, JScript, or PowerShell script, thereby enhancing stealth and evasion capabilities for the threat actor.<\/li>\n<li>Upon execution, the MSI installer displays a user interface.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-188979 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/8.jpg\" alt=\"\" width=\"936\" height=\"715\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/8.jpg 936w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/8-300x229.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/8-768x587.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/8-169x129.jpg 169w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/center><\/p>\n<ul>\n<li>During installation, a text message is displayed urging the user to spread the malware by installing it onto a friend&#8217;s computer to get the full application version.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-188994 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/9.jpg\" alt=\"\" width=\"511\" height=\"299\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/9.jpg 511w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/9-300x176.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/9-205x120.jpg 205w\" sizes=\"auto, (max-width: 511px) 100vw, 511px\" \/><\/center><\/p>\n<ul>\n<li>During installation, we can observe that three files are being written to Disk to <em>C:\\program Files\\Cheat Lab Inc\\ Cheat Lab\\ <\/em>path.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189009 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/10.jpg\" alt=\"\" width=\"810\" height=\"263\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/10.jpg 810w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/10-300x97.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/10-768x249.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/10-205x67.jpg 205w\" sizes=\"auto, (max-width: 810px) 100vw, 810px\" \/><\/center><\/p>\n<ul>\n<li>Below, the three files are placed inside the new path.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189024 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/11.jpg\" alt=\"\" width=\"907\" height=\"320\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/11.jpg 907w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/11-300x106.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/11-768x271.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/11-205x72.jpg 205w\" sizes=\"auto, (max-width: 907px) 100vw, 907px\" \/><\/center>&nbsp;<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189039 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/12.jpg\" alt=\"\" width=\"972\" height=\"227\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/12.jpg 972w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/12-300x70.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/12-768x179.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/12-205x48.jpg 205w\" sizes=\"auto, (max-width: 972px) 100vw, 972px\" \/><\/center><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Here, we see that compiler.exe is executed by msiexec.exe and takes readme.txt as an argument. Also, the Blue Highlighted part shows lua51.dll being loaded into compiler.exe. Lua51.dll is a supporting DLL for compiler.exe to function, so the threat actor has shipped the DLL along with the two files.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189054 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/13.jpg\" alt=\"\" width=\"772\" height=\"244\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/13.jpg 772w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/13-300x95.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/13-768x243.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/13-205x65.jpg 205w\" sizes=\"auto, (max-width: 772px) 100vw, 772px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>During installation, msiexec.exe creates a scheduled task to execute compiler.exe with readme.txt as an argument.<\/li>\n<li>Apart from the above technique for persistence, this malware uses a 2<sup>nd<\/sup> fallback technique to ensure execution.<\/li>\n<li>It copies the three files to another folder in program data with a very long and random path.<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189069 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/14.jpg\" alt=\"\" width=\"1020\" height=\"233\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/14.jpg 1020w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/14-300x69.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/14-768x175.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/14-205x47.jpg 205w\" sizes=\"auto, (max-width: 1020px) 100vw, 1020px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Note that the name compiler.exe has been changed to NzUW.exe.<\/li>\n<li>Then it drops a file ErrorHandler.cmd at <em><u>C:\\Windows\\Setup\\Scripts\\<\/u><\/em><\/li>\n<li>The contents of cmd can be seen here. It executes compiler.exe under the new name of NzUw.exe with the Lua byte code as a parameter.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189084 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture16.jpg\" alt=\"\" width=\"936\" height=\"406\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture16.jpg 936w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture16-300x130.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture16-768x333.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture16-205x89.jpg 205w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/center><\/p>\n<ul>\n<li>Executing ErrorHandler.cmd uses a LolBin in the system32 folder. For that, it creates another scheduled task.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189099 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture17.jpg\" alt=\"\" width=\"1039\" height=\"101\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture17.jpg 1039w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture17-300x29.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture17-1024x100.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture17-768x75.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture17-205x20.jpg 205w\" sizes=\"auto, (max-width: 1039px) 100vw, 1039px\" \/><\/center>&nbsp;<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189114 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture18.jpg\" alt=\"\" width=\"758\" height=\"367\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture18.jpg 758w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture18-300x145.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture18-205x99.jpg 205w\" sizes=\"auto, (max-width: 758px) 100vw, 758px\" \/><\/center><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>The above image shows a new task created with Windows Setup, which will launch C:\\Windows\\system32\\oobe\\Setup.exe without any argument.<\/li>\n<li>Turns out, if you place your payload in c:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd, c:\\WINDOWS\\system32\\oobe\\Setup.exe will load it whenever an error occurs.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189129 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture19.jpg\" alt=\"\" width=\"807\" height=\"351\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture19.jpg 807w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture19-300x130.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture19-768x334.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture19-205x89.jpg 205w\" sizes=\"auto, (max-width: 807px) 100vw, 807px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Source: <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/manufacture\/desktop\/add-a-custom-script-to-windows-setup?view=windows-11\" target=\"_blank\" rel=\"noopener\">Add a Custom Script to Windows Setup | Microsoft Learn<\/a><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>c:\\WINDOWS\\system32\\oobe\\Setup.exe is expecting an argument. When it is not provided, it causes an error, which leads to the execution of ErrorHandler.cmd, which executes compiler.exe, which loads the malicious Lua code.<\/li>\n<li>We can confirm this in the below process tree.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189144 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture20.jpg\" alt=\"\" width=\"964\" height=\"540\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture20.jpg 964w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture20-300x168.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture20-768x430.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture20-205x115.jpg 205w\" sizes=\"auto, (max-width: 964px) 100vw, 964px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>We can confirm that c:\\WINDOWS\\system32\\oobe\\Setup.exe launches cmd.exe with ErrorHandler.cmd script as argument, which runs NzUw.exe(compiler.exe)<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>It then checks the IP from where it is being executed and uses ip-API to achieve that.<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189159 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture21.jpg\" alt=\"\" width=\"936\" height=\"465\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture21.jpg 936w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture21-300x149.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture21-768x382.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture21-205x102.jpg 205w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>We can see the network packet from api-api.com; this is written as a JSON object to Disk in the inetCache folder.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189785 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture22-1.jpg\" alt=\"\" width=\"1005\" height=\"102\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture22-1.jpg 1005w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture22-1-300x30.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture22-1-768x78.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture22-1-205x21.jpg 205w\" sizes=\"auto, (max-width: 1005px) 100vw, 1005px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>We can see procmon logs for the same.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189189 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture23.jpg\" alt=\"\" width=\"1008\" height=\"187\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture23.jpg 1008w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture23-300x56.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture23-768x142.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture23-205x38.jpg 205w\" sizes=\"auto, (max-width: 1008px) 100vw, 1008px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>We can see JSON was written to Disk.<\/li>\n<\/ul>\n<h2><strong>C2 Communication and stealer activity<\/strong><\/h2>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Communication with c2 occurs over HTTP.<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189204 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture24.jpg\" alt=\"\" width=\"964\" height=\"487\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture24.jpg 964w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture24-300x152.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture24-768x388.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture24-205x104.jpg 205w\" sizes=\"auto, (max-width: 964px) 100vw, 964px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>We can see that the server sent the task ID of OTMsOTYs for the infected machine to perform. (in this case, taking screenshots)<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189800 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture25-1.jpg\" alt=\"\" width=\"1038\" height=\"330\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture25-1.jpg 1038w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture25-1-300x95.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture25-1-1024x326.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture25-1-768x244.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture25-1-205x65.jpg 205w\" sizes=\"auto, (max-width: 1038px) 100vw, 1038px\" \/><\/center><\/li>\n<li>A base64 encoded string is returned.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189234 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture26-e1713368129235.jpg\" alt=\"\" width=\"1027\" height=\"157\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture26-e1713368129235.jpg 1027w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture26-e1713368129235-300x46.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture26-e1713368129235-1024x157.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture26-e1713368129235-768x117.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture26-e1713368129235-205x31.jpg 205w\" sizes=\"auto, (max-width: 1027px) 100vw, 1027px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>An HTTP PUT request was sent to the threat actors server with the URL \/loader\/screen.<\/li>\n<li>IP is attributed to the redline family, with many engines marking it as malicious.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189249 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture27.jpg\" alt=\"\" width=\"663\" height=\"462\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture27.jpg 663w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture27-300x209.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture27-185x129.jpg 185w\" sizes=\"auto, (max-width: 663px) 100vw, 663px\" \/><\/center><br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189264 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture28.jpg\" alt=\"\" width=\"936\" height=\"498\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture28.jpg 936w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture28-300x160.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture28-768x409.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture28-205x109.jpg 205w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Further inspection of the packet shows it is a bitmap image file.<\/li>\n<li>The name of the file is Screen.bmp<\/li>\n<li>Also, note the unique user agent used in this put request, i.e., Winter<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189815 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture29-1.jpg\" alt=\"\" width=\"859\" height=\"585\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture29-1.jpg 859w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture29-1-300x204.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture29-1-768x523.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture29-1-189x129.jpg 189w\" sizes=\"auto, (max-width: 859px) 100vw, 859px\" \/><\/center><\/p>\n<ul>\n<li>After Dumping the bitmap image resource from Wireshark to disc and opening it as a .bmp(bitmap image) extension, we see.<\/li>\n<li>The screenshot was sent to the threat actors&#8217; server.<\/li>\n<\/ul>\n<h2>Analysis of bytecode File<\/h2>\n<ul>\n<li>It is challenging to get the true decomplication of the bytecode file.<\/li>\n<li>Many open source decompilers were used, giving a slightly different Lua script.<\/li>\n<li>The script file was not compiling and throwing some errors.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189294 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture30.png\" alt=\"\" width=\"435\" height=\"470\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture30.png 435w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture30-278x300.png 278w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture30-119x129.png 119w\" sizes=\"auto, (max-width: 435px) 100vw, 435px\" \/><\/center><\/p>\n<ul>\n<li>The script file was sensitized based on errors so that it could be compiled.<\/li>\n<\/ul>\n<ul>\n<li>Debugging process<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189309 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture31.jpg\" alt=\"\" width=\"986\" height=\"396\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture31.jpg 986w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture31-300x120.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture31-768x308.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture31-205x82.jpg 205w\" sizes=\"auto, (max-width: 986px) 100vw, 986px\" \/><\/center><\/p>\n<ul>\n<li>One table (var_0_19) is populated by passing data values to 2 functions.<\/li>\n<li>In the console output, we can see base64 encoded values being stored in var_0_19.<\/li>\n<li>These base64 strings decode to more encoded data and not to plain strings.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189324 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture32.jpg\" alt=\"\" width=\"936\" height=\"122\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture32.jpg 936w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture32-300x39.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture32-768x100.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture32-205x27.jpg 205w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/center><\/p>\n<ul>\n<li>All data in var_0_19 is assigned to var_0_26<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189339 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture33.jpg\" alt=\"\" width=\"935\" height=\"415\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture33.jpg 935w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture33-300x133.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture33-768x341.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture33-205x91.jpg 205w\" sizes=\"auto, (max-width: 935px) 100vw, 935px\" \/><\/center><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>The same technique is populating 2nd table (var_0_20)<\/li>\n<li>It contains the substitution key for encoded data.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189354 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture34.jpg\" alt=\"\" width=\"936\" height=\"442\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture34.jpg 936w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture34-300x142.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture34-768x363.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture34-205x97.jpg 205w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>The above pic is a decryption loop. It iterates over var_0_26 element by element and decrypts it.<\/li>\n<li>This loop is also very long and contains many junk lines.<\/li>\n<li>The loop ends with assigning the decrypted values back to var_0_26.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189369 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture35.jpg\" alt=\"\" width=\"935\" height=\"321\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture35.jpg 935w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture35-300x103.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture35-768x264.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture35-205x70.jpg 205w\" sizes=\"auto, (max-width: 935px) 100vw, 935px\" \/><\/center><br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189384 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture36.jpg\" alt=\"\" width=\"935\" height=\"356\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture36.jpg 935w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture36-300x114.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture36-768x292.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture36-205x78.jpg 205w\" sizes=\"auto, (max-width: 935px) 100vw, 935px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>We place the breakpoint on line 1174 and watch the values of var_0_26.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189399 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture37.jpg\" alt=\"\" width=\"935\" height=\"385\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture37.jpg 935w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture37-300x124.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture37-768x316.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture37-205x84.jpg 205w\" sizes=\"auto, (max-width: 935px) 100vw, 935px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>As we hit the breakpoint multiple times, we see more encoded data decrypted in the watch window.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189414 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture40.jpg\" alt=\"\" width=\"679\" height=\"197\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture40.jpg 679w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture40-300x87.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture40-205x59.jpg 205w\" sizes=\"auto, (max-width: 679px) 100vw, 679px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>We can see decrypted strings like Tamper Detected! In var_0_26<\/li>\n<\/ul>\n<h2><strong>Loading luajit bytcode:<\/strong><\/h2>\n<p>Before loading the luajit bytecode, a new state is created. Each Lua state maintains its global environment, stack, and set of loaded libraries, providing isolation between different instances of Lua code.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189429 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture41.jpg\" alt=\"\" width=\"624\" height=\"117\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture41.jpg 624w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture41-300x56.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture41-205x38.jpg 205w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/center>It loads the library using the Lua_openlib function and loads the debug, io, math,ffi, and other supported libraries,<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189444 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture42.jpg\" alt=\"\" width=\"769\" height=\"187\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture42.jpg 769w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture42-300x73.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture42-205x50.jpg 205w\" sizes=\"auto, (max-width: 769px) 100vw, 769px\" \/><\/center>Lua jit bytecode loaded using the luaL_loadfile export function from lua51. It uses the fread function to read the jit bytecode, and then it moves to the allocated memory using the memmove function.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189830 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture43-1.jpg\" alt=\"\" width=\"780\" height=\"302\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture43-1.jpg 780w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture43-1-300x116.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture43-1-768x297.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture43-1-205x79.jpg 205w\" sizes=\"auto, (max-width: 780px) 100vw, 780px\" \/><\/center>&nbsp;<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189474 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture44.jpg\" alt=\"\" width=\"721\" height=\"198\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture44.jpg 721w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture44-300x82.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture44-205x56.jpg 205w\" sizes=\"auto, (max-width: 721px) 100vw, 721px\" \/><\/center>The bytecode from the readme. Text is moved randomly, changing the bytecode from one offset to another using the memmove API function. The exact length of 200 bytes from the Jit bytecode is copied using the memmove API function.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189489 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture45.jpg\" alt=\"\" width=\"656\" height=\"187\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture45.jpg 656w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture45-300x86.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture45-205x58.jpg 205w\" sizes=\"auto, (max-width: 656px) 100vw, 656px\" \/><\/center><br \/>\nIt took table values and processed them using the below floating-point arithmetic and xor instruction.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189504 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture46-1.jpg\" alt=\"\" width=\"1430\" height=\"420\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture46-1.jpg 1430w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture46-1-300x88.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture46-1-1024x301.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture46-1-768x226.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture46-1-205x60.jpg 205w\" sizes=\"auto, (max-width: 1430px) 100vw, 1430px\" \/><\/center>It uses memmove API functions to move the bytes from the source to the destination buffer.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189521 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture47.jpg\" alt=\"\" width=\"298\" height=\"312\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture47.jpg 298w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture47-287x300.jpg 287w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture47-123x129.jpg 123w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture47-24x24.jpg 24w\" sizes=\"auto, (max-width: 298px) 100vw, 298px\" \/><\/center>After further analysis, we found that c definition for variable and arguments which will be used in this script.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189536 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture48.jpg\" alt=\"\" width=\"286\" height=\"382\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture48.jpg 286w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture48-225x300.jpg 225w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture48-97x129.jpg 97w\" sizes=\"auto, (max-width: 286px) 100vw, 286px\" \/><\/center>We have seen some API definitions, and it uses ffi for directly accessing Windows API functions from Lua code, examples of defining API functions,<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189551 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture49.jpg\" alt=\"\" width=\"599\" height=\"156\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture49.jpg 599w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture49-300x78.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture49-205x53.jpg 205w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\" \/><\/center>&nbsp;<\/p>\n<p><center><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189566 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture50.jpg\" alt=\"\" width=\"624\" height=\"285\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture50.jpg 624w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture50-300x137.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture50-205x94.jpg 205w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/center>It creates the mutex with the name winter750 using CreateMutexExW.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189860 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture51-1.jpg\" alt=\"\" width=\"624\" height=\"144\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture51-1.jpg 624w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture51-1-300x69.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture51-1-205x47.jpg 205w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/center>It Loads the dll at Runtime using the LdrLoaddll function from ntdll.dll. This function is called using luajit ffi.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189596 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture52.jpg\" alt=\"\" width=\"578\" height=\"261\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture52.jpg 578w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture52-300x135.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture52-205x93.jpg 205w\" sizes=\"auto, (max-width: 578px) 100vw, 578px\" \/><\/center>It retrieves the MachineGuid from the Windows registry using the RegQueryValueEx function by using ffi. Opens the registry key &#8220;SOFTWARE\\\\Microsoft\\\\Cryptography&#8221; using RegOpenKeyExA\u2014queries the value of &#8220;MachineGuid&#8221; from the opened registry key.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189875 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture53-3.jpg\" alt=\"\" width=\"624\" height=\"140\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture53-3.jpg 624w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture53-3-300x67.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture53-3-205x46.jpg 205w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/center>It retrieves the ComputerName from the Windows registry using the GetComputerNameA function using ffi.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189890 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture54-1.jpg\" alt=\"\" width=\"624\" height=\"250\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture54-1.jpg 624w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture54-1-300x120.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture54-1-205x82.jpg 205w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/center>It gathers the following information and sends it to the C2 server.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189905 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture55-1.jpg\" alt=\"\" width=\"563\" height=\"175\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture55-1.jpg 563w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture55-1-300x93.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture55-1-205x64.jpg 205w\" sizes=\"auto, (max-width: 563px) 100vw, 563px\" \/><\/center>It also sends the following information to the c2 server,<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-189671 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture56.jpg\" alt=\"\" width=\"592\" height=\"169\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture56.jpg 592w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture56-300x86.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/Picture56-205x59.jpg 205w\" sizes=\"auto, (max-width: 592px) 100vw, 592px\" \/><\/center><\/p>\n<ul>\n<li>In this blog, we saw the various techniques threat actors use to infiltrate user systems and exfiltrate their data.<\/li>\n<\/ul>\n<h3><strong><u>Indicators of Compromise<\/u><\/strong><\/h3>\n<table width=\"724\">\n<tbody>\n<tr>\n<td width=\"150\">Cheat.Lab.2.7.2.zip<\/td>\n<td width=\"574\">5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Cheat.Lab.2.7.2.zip<\/td>\n<td width=\"574\"><em><u>https[:]\/\/github[.]com\/microsoft\/vcpkg\/files\/14125503\/Cheat.Lab.2.7.2.zip<\/u><\/em><\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">lua51.dll<\/td>\n<td width=\"574\">873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">readme.txt<\/td>\n<td width=\"574\">751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">compiler.exe<\/td>\n<td width=\"574\">dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Redline C2<\/td>\n<td width=\"574\">213[.]248[.]43[.]58<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Trojanised Git Repo<\/td>\n<td width=\"574\">hxxps:\/\/github.com\/microsoft\/STL\/files\/14432565\/Cheater.Pro.1.6.0.zip<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was observed in the&#8230;<\/p>\n","protected":false},"author":695,"featured_media":189703,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-188873","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Redline Stealer: A Novel Approach | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Redline Stealer: A Novel Approach | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-04-17T18:19:09+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-19T19:05:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_061623.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Redline Stealer: A Novel Approach\",\"datePublished\":\"2024-04-17T18:19:09+00:00\",\"dateModified\":\"2024-04-19T19:05:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/\"},\"wordCount\":1425,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_061623.png\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/\",\"name\":\"Redline Stealer: A Novel Approach | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_061623.png\",\"datePublished\":\"2024-04-17T18:19:09+00:00\",\"dateModified\":\"2024-04-19T19:05:03+00:00\",\"description\":\"Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_061623.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_061623.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Redline Stealer: A Novel Approach\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Redline Stealer: A Novel Approach | McAfee Blog","description":"Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Redline Stealer: A Novel Approach | McAfee Blog","og_description":"Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2024-04-17T18:19:09+00:00","article_modified_time":"2024-04-19T19:05:03+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_061623.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Redline Stealer: A Novel Approach","datePublished":"2024-04-17T18:19:09+00:00","dateModified":"2024-04-19T19:05:03+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/"},"wordCount":1425,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_061623.png","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/","name":"Redline Stealer: A Novel Approach | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_061623.png","datePublished":"2024-04-17T18:19:09+00:00","dateModified":"2024-04-19T19:05:03+00:00","description":"Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_061623.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_061623.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Redline Stealer: A Novel Approach"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/188873","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=188873"}],"version-history":[{"count":14,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/188873\/revisions"}],"predecessor-version":[{"id":189974,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/188873\/revisions\/189974"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/189703"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=188873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=188873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=188873"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=188873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}