Cheat Lab, the latest malicious threat linked to RedLine

A new strain of information-stealing malware associated with Redline has emerged, masquerading as a gaming cheat named ‘Cheat Lab.’ This deceptive software also promises users a complimentary version if they persuade their friends to install it.

Redline, a notorious malware known for stealing sensitive data like passwords, cookies, and cryptocurrency wallet information, is an ideal tool among cybercriminals and is distributed globally through various means.

Researchers have identified this new variant as employing Lua bytecode to bypass detection, allowing it to seamlessly integrate into legitimate processes while harnessing Just-In-Time (JIT) compilation for enhanced performance.

Moreover, the malware utilises a C2 server previously linked to Redline, further establishing its connection to the notorious strain. However, contrary to expectations, this variant does not exhibit all the typical behaviours associated with Redline, such as browser data theft.

 

Cheat Lab is a bait that lures users into installing its malicious content.

 

The malicious payloads are disguised as “Cheat Lab” and “Cheater Pro” demos, enticing victims through URLs associated with Microsoft’s ‘vcpkg’ GitHub repository.

Upon execution, the malware, distributed as ZIP files containing an MSI installer, deploys two crucial files, compiler.exe and lua51.dll, alongside a ‘readme.txt’ file containing malicious Lua bytecode.

The lure intensifies as victims are promised a fully licensed copy of the cheating software if they successfully persuade others to install it, complete with an activation key for added credibility.

The malware is distributed not as an executable but as uncompiled bytecode to evade detection, which is then compiled and executed by compiler.exe. This executable also establishes persistence by creating scheduled tasks during system startup.

A researcher also noted a fallback mechanism for persistence, wherein the three essential files are copied to a lengthy, random path under program data.

Once operational, the malware communicates with a C2 server, transmitting screenshots of active windows and system details while awaiting commands from the host. While the initial infection method remains unclear, information stealers commonly propagate through malvertising, deceptive software download sites, and P2P downloads. Consequently, users are advised to exercise caution with unsigned executables and refrain from downloading files from suspicious sources.

This incident shows the risk posed by seemingly legitimate sources, such as Microsoft’s GitHub, as avenues for malware dissemination. There is no response yet from Microsoft regarding the executables distributed through its GitHub URLs as of writing.