SmartLoader malware spread through GitHub repositories

Cybersecurity researchers have identified a sophisticated malware distribution campaign that exploits GitHub repositories, masquerading as legitimate software projects. The SmartLoader malware has been strategically deployed across various repositories, leveraging users’ trust in the popular code-sharing platform to infiltrate systems globally. This malicious campaign specifically targets individuals searching for game cheats, software cracks, and automation tools by positioning fraudulent repositories at the top of search results. These repositories are designed to appear authentic, complete with professionally crafted README files, project documentation, and realistic file structures that closely resemble genuine open-source projects. The threat actors behind this operation have shown remarkable attention to detail, rendering their malicious repositories nearly indistinguishable from legitimate software projects. When users download and execute the carefully constructed compressed files containing the SmartLoader payload, they unknowingly initiate a multi-stage infection process that establishes persistent access to their systems.

The SmartLoader infection process commences when users execute the Launcher.cmd file, which acts as the initial attack vector. This malicious batch file loads an obfuscated Lua script through luajit.exe, a legitimate Lua interpreter that has been weaponised for malicious purposes. The malware package comprises four core components: java.exe (the legitimate Lua loader), Launcher.cmd (the malicious batch file), lua51.dll (the Luajit runtime interpreter), and module.class (the obfuscated Lua script). Once activated, SmartLoader establishes persistence by copying essential files to the %AppData%ODE3 directory and registering itself in the Windows Task Scheduler as “SecurityHealthService_ODE3”. The malware immediately captures screenshots and system information, transmitting this data to command-and-control servers through Base64-encoded communications. Its most dangerous capability lies in its function as a loader for additional payloads. Analysis has revealed that SmartLoader downloads and executes secondary malware, including Rhadamanthys infostealer, which targets sensitive information from email clients, FTP applications, and online banking services. The malware employs process injection into legitimate Windows processes such as openwith.exe, dialer.exe, and dllhost.exe to evade detection, with communication to C2 servers occurring through encrypted channels.