{"id":7726,"date":"2024-04-30T10:18:50","date_gmt":"2024-04-30T10:18:50","guid":{"rendered":"\/cybersecurity-blog\/?p=7726"},"modified":"2024-05-02T05:38:17","modified_gmt":"2024-05-02T05:38:17","slug":"new-redline-version","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/","title":{"rendered":"New Redline Version: Uses Lua Bytecode, Propagates Through GitHub"},"content":{"rendered":"\n<p>A new packed Redline version <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">was found<\/a> in the wild and it has new tricks that may make it challenging to detect.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s new?&nbsp;<\/h2>\n\n\n\n<p>McAfee Labs recently discovered a new Redline Stealer variant that uses Lua bytecode to hide its malicious code. This is the first time we&#8217;ve seen this technique used in <a href=\"https:\/\/any.run\/malware-trends\/redline\" target=\"_blank\" rel=\"noreferrer noopener\">Redline Stealer<\/a>.&nbsp;<\/p>\n\n\n\n<p>The malware was also found on GitHub, inside Microsoft&#8217;s official vcpkg repository: <strong>https[:]\/\/github[.]com\/microsoft\/vcpkg\/files\/14125503\/Cheat.Lab.2.7.2.zip<\/strong>. &nbsp;<\/p>\n\n\n\n<p>The attackers uploaded a malicious zip file named <strong>Cheat.Lab.2.7.2.zip <\/strong>to the repository. The zip file contains an MSI installer with two executable files:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>compiler.exe<\/strong>.&nbsp;<\/li>\n\n\n\n<li><strong>lua51.dll<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>As well as a text file <strong>readme.txt<\/strong> that holds the Lua bytecode.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEasily detect malware with <span class=\"highlight\">ANY.RUN<\/span> interactive sandbox&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=new_redline_version&#038;utm_term=300424&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nRegister for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">What are the implications?&nbsp;<\/h2>\n\n\n\n<p>Using <strong>Lua bytecode <\/strong>makes it harder for security software to detect the malware. Lua is a less common programming language, so many security tools might not be equipped to properly analyze it. The bytecode allows the attackers to obfuscate malicious strings and evade detection by traditional means.&nbsp;<\/p>\n\n\n\n<p>Distributing the malware through GitHub is also concerning. Recently, we wrote about a <a href=\"https:\/\/any.run\/cybersecurity-blog\/strrat-vcurms-phishing-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing campaign deploying STRAAT and VCURMS via Github<\/a>. In all of these cases, the commercial protection of this platform makes it harder to detect the malicious nature of the files, and because GitHub is so widely used to share code, many people don&#8217;t think twice before downloading the file hosted there.&nbsp; &nbsp;<\/p>\n\n\n\n<p>Is this a new trend and will we see more malware using GitHub for distribution?&nbsp; &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"383\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-2.png\" alt=\"\" class=\"wp-image-7727\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-2.png 681w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-2-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-2-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-2-270x152.png 270w\" sizes=\"(max-width: 681px) 100vw, 681px\" \/><figcaption class=\"wp-element-caption\">New Redline version infection chain. <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/redline-stealer-a-novel-approach\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Source: McAffee<\/a><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">How does the new Redline version work?&nbsp;<\/h2>\n\n\n\n<p>When someone runs the <strong>MSI installer<\/strong>, it creates a scheduled task to execute <strong>compiler.exe <\/strong>with <strong>readme.txt <\/strong>(the Lua bytecode) as an argument.&nbsp;<\/p>\n\n\n\n<p>The malware also sets up a second persistence method by copying itself to a hidden folder and creating a file called <strong>ErrorHandler.cmd<\/strong> at C:\\Windows\\Setup\\Scripts\\.&nbsp;<\/p>\n\n\n\n<p>The malware communicates with its C2 over HTTP. It can take screenshots and gather information about the infected computer, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Its IP address.&nbsp;<\/li>\n\n\n\n<li>Machine ID.&nbsp;<\/li>\n\n\n\n<li>Username.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Analyzing the Lua bytecode is tricky because it&#8217;s hard to decompile back into readable code. The script contains obfuscated data and a complex decryption loop.&nbsp;<\/p>\n\n\n\n<p>The malware uses Lua&#8217;s foreign function interface (FFI) to call Windows API functions directly, making it harder to detect still.&nbsp;<\/p>\n\n\n\n<p>Normally, when malware wants to interact with the Windows operating system (for example, to connect to C2), it has to use the standard Windows API functions, which are well-known and monitored by security software.&nbsp;<\/p>\n\n\n\n<p>By using Lua&#8217;s FFI, the malware can directly call the low-level Windows API functions, without going through the standard channels, effectively hiding in plain sight.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Sandbox analysis in ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s replicate the execution chain in ANY.RUN interactive malware sandbox. We will run <a href=\"https:\/\/app.any.run\/tasks\/bbdd91c5-f73a-4964-9116-a0c78378f496\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=new_redline_version&amp;utm_term=300424&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">this sample,<\/a> and see how it would behave in a real system. &nbsp;<\/p>\n\n\n\n<p>We can see that the Malware was hosted on GitHub&#8217;s repository. The download, <strong>Cheat.Lab.2.7.2.zip<\/strong>, contained an MSI that installs modified Lua binaries to enhance stealth by evading detection.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEasily analyze malware in <span class=\"highlight\">ANY.RUN<\/span> cloud sandbox&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=new_redline_version&#038;utm_term=300424&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nRegister for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>The installation process writes three files, prompts users to spread the malware, and creates tasks for execution using system vulnerabilities. It communicates with a command server via HTTP, sending data and receiving tasks.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"583\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2-min-1024x583.png\" alt=\"\" class=\"wp-image-7728\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2-min-1024x583.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2-min-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2-min-768x438.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2-min-1536x875.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2-min-2048x1167.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2-min-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2-min-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2-min-740x422.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Static analysis of the <strong>Cheat.Lab.2.7.2.msi<\/strong> in ANY.RUN<\/figcaption><\/figure><\/div>\n\n\n<p>The MSI in the archive includes 2 PE files and a binary file with a .txt extension. Upon execution, <strong>msiexec<\/strong> runs <strong>Cheat.Lab.2.7.2.msi<\/strong> which triggers the PE file <strong>compiler.exe<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"374\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-1-1024x374.png\" alt=\"\" class=\"wp-image-7729\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-1-1024x374.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-1-300x110.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-1-768x281.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-1-370x135.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-1-270x99.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-1-740x271.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-1.png 1318w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The binary file readme.txt is used as an argument<\/figcaption><\/figure><\/div>\n\n\n<p>This PE file loads <strong>lua51.dll <\/strong>and uses the binary file r<strong>eadme.txt<\/strong> as an argument. Subsequently, compiler.exe retrieves IP addresses from <strong>pastebin.com <\/strong>and attempts to connect to them. It sends an HTTP PUT request to the server with <strong>\/loader\/screen\/<\/strong> as part of the URL and uses the user agent <strong>Winter <\/strong>(shown below).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"585\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-min-1024x585.png\" alt=\"\" class=\"wp-image-7730\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-min-1024x585.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-min-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-min-768x439.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-min-1536x877.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-min-2048x1170.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-min-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-min-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-min-740x423.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Easily analyze details of HTTP requests in <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=new_redline_version&amp;utm_term=300424&amp;utm_content=linktolanding\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>\u2019s network tab<\/figcaption><\/figure><\/div>\n\n\n<p>During our analysis, the complete execution chain could not be fully detailed because the C2 server was already inactive. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Wrapping up&nbsp;<\/h2>\n\n\n\n<p>Redline Stealer is a very popular malware. In fact, in <a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q1-2024\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN&#8217;s Q1 Malware Trends report<\/a>, it was the 5th most frequently detected family in all public tasks uploaded to ANY.RUN&#8217;s sandbox. McAfee&#8217;s data also shows that this strain is widespread: they have seen it in North America, South America, Europe, Asia and Australia.&nbsp; &nbsp;<\/p>\n\n\n\n<p>This story is a good reminder that we need to be extra careful about the files we download \u2014 granted, in this case the file was masquerading as a cheat, which is never a good idea to download, but the same strategy can be applied to mimic a productivity application or script.&nbsp;<\/p>\n\n\n\n<p>When in doubt, you can always throw any suspicious files into a sandbox such as <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=new_redline_version&amp;utm_term=300424&amp;utm_content=linktolanding\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, which will detect and highlight malicious activity through YARA, Suricata or Signatures.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze malware in <span class=\"highlight\">the ANY.RUN sandbox<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=new_redline_version&#038;utm_term=300424&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=new_redline_version&amp;utm_term=300424&amp;utm_content=linktolookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.&nbsp; &nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Advantages of ANY.RUN&nbsp;&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible.&nbsp;<\/p>\n\n\n\n<p>With ANY.RUN you can:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detect malware in under 40s<\/strong>: ANY.RUN detects malware within about 40 seconds of a file upload. It identifies prevalent malware families using YARA and Suricata rules and uses behavioral signatures to detect malicious actions when you encounter a new threat.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Interact with samples in real time<\/strong>: ANY.RUN is an interactive cloud sandbox powered by VNC, which means that you can do everything you could on a real system: browse webpages, click through installers, open password-protected archives.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Save time and money on sandbox setup and maintenance<\/strong>: ANY.RUN\u2019s cloud-based nature eliminates the need for setup or maintenance by your DevOps team, making it a cost-effective solution for businesses.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Record and study all aspects of malware behavior<\/strong>: ANY.RUN provides a detailed analysis of malware behavior, including network traffic, system calls, and file system changes.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Collaborate with your team<\/strong>: easily share analysis results, or, as a senior team member, check work of junior analysts by viewing recordings of their analysis sessions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scale as you need<\/strong>: as a cloud service, you can easily scale your team, simply by adding more licenses.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let us give you an interactive presentation of ANY.RUN and show you how it can help your security team.<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/contact-us\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=new_redline_version&amp;utm_term=300424&amp;utm_content=linktocontactus\/\" target=\"_blank\" rel=\"noreferrer noopener\">Get in touch with us \u2192&nbsp;<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new packed Redline version was found in the wild and it has new tricks that may make it challenging to detect.&nbsp; What\u2019s new?&nbsp; McAfee Labs recently discovered a new Redline Stealer variant that uses Lua bytecode to hide its malicious code. This is the first time we&#8217;ve seen this technique used in Redline Stealer.&nbsp; [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7732,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[10,34],"class_list":["post-7726","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New Redline Version: Uses Lua Bytecode, spreads via GitHub<\/title>\n<meta name=\"description\" content=\"Learn about the new Redline Stealer variant that uses Lua bytecode to hide malicious code and spreads via Microsoft&#039;s vcpkg GitHub repo.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jack Zalesskiy and Stas Gaivoronskii\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/\"},\"author\":{\"name\":\"Jack Zalesskiy and Stas Gaivoronskii\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"New Redline Version: Uses Lua Bytecode, Propagates Through GitHub\",\"datePublished\":\"2024-04-30T10:18:50+00:00\",\"dateModified\":\"2024-05-02T05:38:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/\"},\"wordCount\":1225,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/\",\"name\":\"New Redline Version: Uses Lua Bytecode, spreads via GitHub\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-04-30T10:18:50+00:00\",\"dateModified\":\"2024-05-02T05:38:17+00:00\",\"description\":\"Learn about the new Redline Stealer variant that uses Lua bytecode to hide malicious code and spreads via Microsoft's vcpkg GitHub repo.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/news\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New Redline Version: Uses Lua Bytecode, Propagates Through GitHub\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},[{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jack Zalesskiy\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1-150x150.webp\",\"caption\":\"Jack Zalesskiy\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Stas Gaivoronskii\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto-150x150.png\",\"caption\":\"Stas Gaivoronskii\"}}]]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Redline Version: Uses Lua Bytecode, spreads via GitHub","description":"Learn about the new Redline Stealer variant that uses Lua bytecode to hide malicious code and spreads via Microsoft's vcpkg GitHub repo.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/","twitter_misc":{"Written by":"Jack Zalesskiy and Stas Gaivoronskii","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/"},"author":{"name":"Jack Zalesskiy and Stas Gaivoronskii","@id":"https:\/\/any.run\/"},"headline":"New Redline Version: Uses Lua Bytecode, Propagates Through GitHub","datePublished":"2024-04-30T10:18:50+00:00","dateModified":"2024-05-02T05:38:17+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/"},"wordCount":1225,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["cybersecurity","malware analysis"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/","url":"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/","name":"New Redline Version: Uses Lua Bytecode, spreads via GitHub","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-04-30T10:18:50+00:00","dateModified":"2024-05-02T05:38:17+00:00","description":"Learn about the new Redline Stealer variant that uses Lua bytecode to hide malicious code and spreads via Microsoft's vcpkg GitHub repo.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"News","item":"https:\/\/any.run\/cybersecurity-blog\/category\/news\/"},{"@type":"ListItem","position":3,"name":"New Redline Version: Uses Lua Bytecode, Propagates Through GitHub"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},[{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Jack Zalesskiy","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1-150x150.webp","caption":"Jack Zalesskiy"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Stas Gaivoronskii","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto-150x150.png","caption":"Stas Gaivoronskii"}}]]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7726"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7726"}],"version-history":[{"count":5,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7726\/revisions"}],"predecessor-version":[{"id":7740,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7726\/revisions\/7740"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7732"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7726"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7726"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7726"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}