Fake Game Cheat Tricks Gamers into Spreading Infostealer Malware

A newly discovered info-stealing malware associated with Redline has been found masquerading as a game cheat named ‘Cheat Lab.’ It offers users a free copy if they can persuade their friends to install it as well.

Redline is a potent information-stealing malware known for extracting sensitive data like passwords, cookies, autofill information, and cryptocurrency wallet details from compromised computers.

This malware variant is gaining popularity among cybercriminals and is being disseminated worldwide through various distribution channels.

According to the report, the new info stealer uses Lua bytecode to avoid detection, enabling it to infiltrate legitimate processes stealthily and benefit from Just-In-Time (JIT) compilation performance.

The researchers have linked this variant to Redline due to its use of a command and control server previously associated with the malware. However, unlike Redline, this malware does not engage in behaviors like stealing browser information, saving passwords, or cookies.

The malicious Redline payloads mimic demos of cheating tools such as “Cheat Lab” and “Cheater Pro,” with URLs linked to Microsoft’s ‘vcpkg’ GitHub repository.

The malware is distributed as ZIP files containing an MSI installer that unpacks two files, compiler.exe and lua51.dll, upon launch. Additionally, it drops a ‘readme.txt’ file containing the malicious Lua bytecode.

The campaign employs an intriguing tactic to further propagate the malware by offering victims a free, fully licensed copy of the cheating program if they convince their friends to install it too, along with an activation key for added legitimacy. To evade detection, the malware payload is distributed as uncompiled bytecode rather than an executable.

Upon installation, the compiler.exe program compiles the Lua bytecode from the readme.txt file and executes it. The same executable establishes persistence by creating scheduled tasks that run during system startup.

The malware implements a fallback mechanism for persistence, copying the three files to a long random path under program data.

Once active on the infected system, the malware communicates with a C2 server, sending screenshots of active windows and system information while awaiting commands to execute on the host.

The exact method of initial infection remains unclear, but info stealers are typically disseminated through malvertising, YouTube video descriptions, P2P downloads, and deceptive software download sites.

Users are advised to avoid unsigned executables and files downloaded from dubious websites, as this attack demonstrates that even seemingly trustworthy sources like Microsoft’s GitHub can lead to a Redline infection.

To prevent falling victim to such attacks, gamers should be cautious when downloading and installing software from unofficial sources. It’s important to verify the legitimacy of the software and its source before installation. Additionally, keeping antivirus software up to date can help detect and prevent malware infections. Regularly updating the operating system and all installed software can also patch vulnerabilities that malware exploits.