GitHub Vulnerability and SEO Manipulation Facilitate Game Cheat Malware Distribution

Lua JIT malware

Security researchers at OALABS have exposed a complex malware campaign targeting gamers seeking cheats for a popular open-source aim bot called AIMMY. The attackers are leveraging a GitHub vulnerability and search engine optimization (SEO) techniques to fool unsuspecting users into downloading malware.

The Attack Chain in Detail

Image: OALABS

  1. Weaponizing GitHub: Attackers abuse a quirk in GitHub’s issue tracker, allowing them to upload a malware payload onto the legitimate AIMMY repository. This file, though linked from the cloned project, remains accessible even if the issue is discarded, making detection difficult.
  2. Deceptive Web Presence: A meticulously crafted fake AIMMY website is promoted through search engine optimization (SEO) poisoning, granting it high visibility in search results. To bolster its legitimacy, a cloned GitHub repository is also created, carefully obscured to avoid raising suspicions. By downloading and then re-uploading the repository under a new account rather than forking it, they severed visible ties to the original. Over seven thousand empty commits made in a short period painted the illusion of active development, culminating in a final commit that altered the project README to direct users to the malware-infected download link.

    Image: OALABS

  3. Malicious Payload Delivery: The cloned repository’s download link cunningly points to the malware-laced ZIP file hosted on the authentic AIMMY repository. This deceptive tactic increases the likelihood of users downloading the malware unwittingly.
  4. Obfuscated Lua Attack: The malware itself exhibits unusual complexity. It employs a Lua JIT file, a custom-compiled LuaJIT interpreter to execute the file, and a script for privilege escalation – suggesting a deliberate attempt to hinder reverse engineering.

Analysis Techniques

The payload delivered through this elaborate ruse is a Lua JIT malware, comprising a compiled LuaJIT executable and a batch script designed to escalate privileges. OALABS Research’s attempt to analyze this malware revealed it to be heavily obfuscated using an open-source Lua obfuscator known as Prometheus. The obfuscation techniques employed made traditional analysis challenging, pushing the researchers to adopt innovative strategies to decipher the malware’s true nature.

In an attempt to unravel the malware’s secrets, OALABS Research used dynamic tracing, leveraging techniques to intercept and analyze the Lua code at runtime. Despite initial hurdles, collaboration with the broader research community yielded a breakthrough. By modifying LuaJIT’s garbage collector to hook and dump strings before deletion, researchers could capture decrypted strings, unveiling the malware’s structure and its communication mechanisms with the command and control (C2) servers.

The Evolving Threat Landscape

This attack spotlights how cyber attackers continue to refine their techniques, targeting trusted platforms and exploiting user trust. The gaming community, along with open-source software developers, must remain especially vigilant as these environments often become prime targets for threat actors.