Live Stream VOD: GitHub Bug Used to Infect Game Hackers With Lua Malware (Patreon)
Published:
2024-03-12 14:16:42
Imported:
Content
In this stream we analyze a unique delivery chain that uses a bug in GitHub to mimic popular repositories and deploy malware. We also do a deep dive into Lua malware!
The first 30min are describing the GitHub delivery of the malware, the Lua work starts after that. The real Lua work starts around 2h 55m when we build a custom Lua JIT interpreter with our own instrumentation hooks!
Special Thanks
Special thanks to the following people for helping with the Lua and GitHub analysis this stream would not be possible without them <3
- @JustasMasiulis
- 0AVX
- Fish-Sticks
- Jollyc
- @xusheng6
- Themida for the sample 😉
Sample
The malware is delivered in a ZIP file malshare
- c912762952152c40646a61d7cc80a74f61ddd7aad292a1812f66e76b405f9660 Aimmy.batBatch script used to run the lua code in the interpreter
- 1cf20b8449ea84c684822a5e8ab3672213072db8267061537d1ce4ec2c30c42a AimmyLauncher.exeLuaJIT intepreter
- d6d3c8ea51a025b3abeb70c9c8a17ac46cf82e5a46a259e9aaa9d245212d9e17 README.txt
- fa3224ec83c69883519941c0e010697bcdc0518a3d9e2c081cd54f5e9458b253 dataMalicious compiled Lua JIT code, magic bytes 1B 4C 4A
- ff976f6e965e3793e278fa9bf5e80b9b226a0b3932b9da764bffc8e41e6cdb60 lua51.dll