Lua Malware Targets Cheaters in Roblox and Other GamesCheaters Never Prosper, As Fake Cheat Scripts Contain Malware
Often, the allure of gaining an edge in competitive online games can be a powerful motivator. However, this desire to win is being exploited by cybercriminals who are deploying a malware campaign disguised as cheat scripts. This malware is written in the Lua scripting language and is targeting gamers across the globe, with researchers reporting infections in North America, South America, Europe, Asia, and Australia.
The attackers are capitalizing on the popularity of Lua scripting within game engines and the prevalence of online communities dedicated to sharing cheats. As reported by Morphisec Threat Labs’ Shmuel Uzan, attackers employ "SEO poisoning," a tactic that makes their malicious websites appear legitimate to unsuspecting users. These malicious scripts are disguised as push requests on GitHub repositories, often targeting popular cheat script engines like Solara and Electron—"popular cheating script engines frequently associated" with the popular children's game "Roblox." Users are lured to these scripts through fake advertisements promoting fake versions of these cheat scripts.
The deceptive nature of Lua is a key factor in this attack. Lua is a lightweight scripting language that, according to FunTech, even "kids can learn." Aside from Roblox, other popular games that utilize Lua scripting include World of Warcraft, Angry Birds, Factorio, and many more. Lua’s appeal stems from its design as an extension language that allows it to be seamlessly incorporated into different platforms and systems.However, once the malicious batch file is executed, the malware establishes communication with a command and control server (C2 server) controlled by the attackers. This can then send "details about the infected machine" and allow it to download additional malicious payloads. The potential consequences of these payloads are vast, ranging from personal and financial data theft and keylogging to complete system takeover.
Prevalence of Lua Malware in Roblox
As mentioned, Lua-based malware has infiltrated popular games like Roblox, a game development environment where Lua is the primary scripting language. Although Roblox has built-in security measures, hackers have found ways to exploit the platform by embedding malicious Lua scripts in third-party tools and fake packages, such as the notorious Luna Grabber.
Since Roblox allows users to create their own games, many young developers use Lua scripts to build in-game features, which leads to a perfect storm of vulnerability. Cybercriminals have taken advantage of this by embedding malicious scripts in seemingly benign tools like the "noblox.js-vps" package, which, according to ReversingLabs, was downloaded by 585 times before it was identified as carrying the Luna Grabber malware.
While it might seem poetic justice, there's little sympathy for gamers caught cheating in social media. Many believe that those who ruin the experience for others deserve the consequences of getting their data stolen. It's impossible to completely be safe online, but the surge of disguised malware should perhaps encourage gamers to practice digital hygiene, for the temporary thrill of a competitive edge is not worth the risk of compromising personal data.