SmartLoader Malware Masquerades as Legitimate GitHub Repository to Infect Users

AhnLab Security Intelligence Center (ASEC) has uncovered a sophisticated campaign involving the massive dissemination of SmartLoader malware through GitHub repositories designed to mimic legitimate software projects.

These repositories target users searching for popular illicit content such as game cheats, software cracks, and automation tools, appearing at the top of search results on platforms like Google and GitHub when keywords like “game hacks” or “software crack” are used.

Each repository features a polished README file with project overviews, feature lists, and installation guides, making them indistinguishable from genuine open-source initiatives at first glance.

Deceptive GitHub Repos

Users are lured into downloading compressed files that harbor the malware, often under the guise of tools for games like Maple Story, Minecraft, or Call of Duty, or utilities like Instagram boosters and VPN cracks.

This tactic exploits the trust in GitHub’s ecosystem, where threat actors create accounts to host these deceptive repos, embedding malicious payloads in release downloads with URLs such as hxxps://github[.]com/[Threat Actor Account]/Maple-Story-Menu/releases/download/v3.2.0/Maple.Story.Menu.v3.2.0.zip.

The compressed archives contain four key files: a legitimate Lua loader (java.exe, actually luajit.exe), a malicious batch script (Launcher.cmd), a runtime interpreter (lua51.dll), and an obfuscated Lua script (module.class).

Upon execution of Launcher.cmd, the script loads via luajit.exe, activating SmartLoader, which ensures persistence by copying files to %AppData%ODE3 and scheduling tasks under “SecurityHealthService_ODE3”.

Payload Delivery

Once activated, SmartLoader captures screenshots of the infected system as BMP files and collects encoded system information, transmitting them to a command-and-control (C2) server at addresses like hxxp://89.169.13[.]215/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs.

Data exchanges employ Base64 encoding and byte manipulations with keys hidden in the obfuscated Lua script, decryptable from dynamic memory.

The C2 responds in JSON format, including “loader” configurations for behaviors like bypassing defenses or enabling persistence, and “tasks” listing payloads to fetch and execute.

Analysis revealed three payloads: an additional obfuscated Lua script (adobe.lua) that mirrors module.class’s functions, registering persistence as “WindowsErrorRecovery_ODE4” and communicating with another C2 at hxxp://95.164.53[.]26/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs; and two shellcode variants (_x64.bin and _x86.bin) identified as Rhadamanthys infostealer, operating in 64-bit and 32-bit environments respectively.

Rhadamanthys injects into legitimate Windows processes such as openwith.exe, dialer.exe, dllhost.exe, and rundll32.exe, exfiltrating sensitive data related to emails, FTP, and online banking.

Post-execution, task IDs and victim country codes are relayed to C2 endpoints like hxxp://89.169.13[.]215/tasks/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs.

SmartLoader’s role as a downloader for infostealers like Rhadamanthys, Redline, and Lumma Stealer underscores its versatility in malware ecosystems.

To mitigate risks, users should verify repository authenticity by examining author credibility, commit histories, and source legitimacy, while sourcing software exclusively from official channels.

Even well-documented repos can be malicious, highlighting the need for robust endpoint detection and response tools.

Indicators of Compromise (IOCs)

AWS Security Services: 10-Point Executive Checklist - Download for Free