Distribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project
AhnLab SEcurity intelligence Center (ASEC) has recently discovered the massive distribution of SmartLoader malware through GitHub repositories. These repositories are carefully crafted to appear as legitimate projects and are attracting user interest by focusing on topics such as game cheats, software cracks, and automation tools. Each repository contains a README file and a compressed file, which in turn contains the SmartLoader malware.
- SmartLoader Distribution URLs
hxxps://github[.]com/[Threat Actor Account]/Maple-Story-Menu/releases/download/v3.2.0/Maple.Story.Menu.v3.2.0.zip
hxxps://github[.]com/[Threat Actor Account]/Minecraft-Vape-Client/releases/download/v1.3.1/Minecraft.Vape.Client.v1.3.1.zip
hxxps://github[.]com/[Threat Actor Account]/ms-rewards-automation/releases/download/v1.8.1/ms-rewards-automation.v1.8.1.zip
hxxp://github[.]com/[Threat Actor Account]/ddos-protection/releases/download/uncork/ddos-protection-uncork.zip
hxxp://github[.]com/[Threat Actor Account]/strongvpn/releases/download/pseudobrotherly/strongvpn_pseudobrotherly.zip
hxxp://github[.]com/[Threat Actor Account]/VSDC-Video-Editor-Pro-Crack/releases/download/2.3.3/vsdc-video-editor-pro-crack-2.3.3.zip
hxxp://github[.]com/[Threat Actor Account]/Instagram-Followers-Booster-v2.4.5/releases/download/v1.3.6/instagram-followers-booster-v2.4.5-v1.3.6.zip
hxxps://github[.]com/[Threat Actor Account]/Call-of-Duty-Modern-Warfare-3-MW3-Hack-Cheat-Aimbot-Esp-Unban-Hwid-Unlocks-GunLVL/releases/download/desertless/Desertless.zip
hxxps://github[.]com/[Threat Actor Account]/MCP-Manager-GUI/releases/download/v1.6.1/MCP.Manager.GUI.v1.6.1.zip
hxxp://github[.]com/[Threat Actor Account]/Project-Zomboid-Hack/releases/download/scholae/project-zomboid-hack-scholae.zip
hxxps://github[.]com/[Threat Actor Account]/portfolio/raw/refs/heads/main/Software.zip
Upon searching for keywords such as game hacks, software crack, and automation tool, the GitHub repository containing the SmartLoader malware is displayed at the top of the search results, allowing users to easily access it.
Figure 1. The SmartLoader distribution site being displayed at the top of Google search results
The GitHub repository disguised as a legitimate project contains a README file and other project-related files. The README file is well-written and includes an overview of the project, a table of contents, key features, and installation and usage instructions, making it difficult for regular users to recognize the repository as a malware distribution site. Users follow the provided installation instructions and download the compressed file, which contains the malware.
Figure 2. A GitHub repository disguised as a legitimate project (1)
Figure 3. GitHub repository disguised as a legitimate project (2)
Figure 4. Files inside the compressed file
The downloaded compressed file contains a total of 4 files, each with the following functions.
- File Features
java.exe: The legitimate Lua loader executable luajit.exe
Launcher.cmd: A malicious batch file that executes java.exe with module.class as an argument (malicious)
lua51.dll: Luajit runtime interpreter (legitimate)
module.class: Obfuscated Lua script (malicious)
When a user executes the Launcher.cmd file to install it, the obfuscated malicious Lua script is loaded through luajit.exe (Lua loader), and SmartLoader is ultimately activated. To maintain persistence, SmartLoader copies the luajit.exe (ODE3.exe), module.class, and lua51.dll files to the “%AppData%\ODE3” path and registers it in the Task Scheduler as “SecurityHealthService_ODE3”.
Figure 5. Sending a screenshot (BMP file)
Figure 6. Transmission of system information (encoded form)
Afterward, a screenshot of the infected PC and its system information are transmitted to the C2 server. Additional malicious behaviors are then performed based on the response value received from the server. The data exchanged with the C2 server is transmitted in an encrypted form through Base64 encoding and byte operations. The key value used in this process exists in an obfuscated form within the Lua script, and the key could be obtained in the dynamic memory.
- C2
hxxp://89.169.13[.]215/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs
Figure 7. C2 response value
The response value is delivered in JSON format and contains two data: loader and tasks. Loader is a configuration value that controls the behavior of the malware, while tasks is a list of tasks to download and execute additional payloads. The following is the result of decoding this data using the obtained key.
| Item | Decoded data |
|---|---|
| loader | {“bypass_defender”: 0, “autorun”: 0, “relaunch”: {“time”: 3600, “status”: false}, “tablet”: {“text”: “An error occurred”, “status”: false}, “hide”: 0, “persistence”: 1} |
| tasks | [{“id”: 814, “link”: “hxxps://github[.]com/kishoq123/Netrunner-Os-Abiy/releases/download/nasosubnasal/log.txt”, “file_path”: “AppData”, “file_name”: “Adobe\\adobe.lua“, “start”: 1, “autorun”: 0, “relaunch”: 0, “hide”: 0, “pump”: {“size”: 100, “status”: false}, “dll_loader”: {“func”: null, “type”: “LoadLibrary”}, “delivery”: “new”}, {“id”: 819, “link”: “hxxps://github[.]com/ngochoan1991/host/raw/ed0b087203fbe99717f2be9e93abc0cf9a4200c9/64.log”, “file_path”: “Temp”, “file_name”: “_x64.bin“, “start”: 1, “autorun”: 0, “relaunch”: 0, “hide”: 0, “pump”: {“size”: -1, “status”: false}, “dll_loader”: {“func”: null, “type”: “LoadLibrary”}, “delivery”: “new”}, {“id”: 820, “link”: “hxxps://github[.]com/ngochoan1991/host/raw/ed0b087203fbe99717f2be9e93abc0cf9a4200c9/86.log”, “file_path”: “Temp”, “file_name”: “_x86.bin“, “start”: 1, “autorun”: 0, “relaunch”: 0, “hide”: 0, “pump”: {“size”: -1, “status”: false}, “dll_loader”: {“func”: null, “type”: “LoadLibrary”}, “delivery”: “new”}] |
Table 1. Decoded loader and tasks data
At the time of analysis, the tasks item had a total of three payloads, and after each payload is executed, the task ID and the country code of the infected PC are sent to the C2 server. The downloaded files are encoded in the same manner as described above and are decoded and executed in the memory. The functions of each file are as follows:
- C2
hxxp://89.169.13[.]215/tasks/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs
1. adobe.lua
Figure 8. Decoded adobe.lua
This file is a obfuscated malicious Lua script that performs the same function as module.class. To maintain persistence, it is registered in the task scheduler under the name “WindowsErrorRecovery_ODE4”. It sends a screenshot of the infected PC and system information to the C2 server, then performs additional malicious behaviors based on the response received from the server. At the time of analysis, the tasks item was empty, so the additional malicious behavior could not be identified.
- C2
hxxp://95.164.53[.]26/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs
Figure 9. C2 response value
2. _x64.bin
Figure 10. Decoded _x64.bin
The file is a ShellCode that operates in a 64-bit environment and has been identified as the Infostealer malware, Rhadamanthys. Rhadamanthys performs injection into normal processes in Windows systems, and ultimately exfiltrates sensitive information related to email, FTP, and online banking services to the threat actor’s server.
- Injection Target Processes
%Systemroot%\system32\openwith.exe
%Systemroot%\system32\dialer.exe
%Systemroot%\system32\dllhost.exe
%Systemroot%\system32\rundll32.exe
3. _x86.bin
Figure 11. Decoded _x86.bin
This file is a ShellCode that operates in a 32-bit environment, performing the same functions as the _x64.bin file. It is the Rhadamanthys malware.
SmartLoader is mainly used to download InfoStealer malware, and there have been many cases of it being used to execute other malware such as Rhadamanthys, Redline, and Lumma Stealer. As paths searched using illegal or unofficial keywords such as game hacks, cracks, and automation tools are highly likely to lead to malware, software must be downloaded from official sources. Even if a README file is meticulously written, the repository may still be malicious, so the source of the repository, the credibility of the author, and the commit and activity history must be checked.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
