Forget Boss Battles, RedLine Malware Aims To Defeat Gamers With Fake Cheats

stealer malware being distributed through cheat software

If you are a threat actor and want to mine cryptocurrency or steal some juicy information, a gamer’s PC is a good target for that sort of thing, given the hardware and software they use. Even better yet is the PC of a game cheater because they are used to downloading sketchy software in the first place, so the barrier to entry of the malware target is lowered. This is just one thing to add to the saying that cheaters never prosper, and this is evidenced by the recent discovery of malware to steal information being packaged into a game cheat utility.

Earlier this week, McAfee researchers discovered a packed variant of the Redline Stealer trojan becoming highly prevalent in the United States, Mexico, and elsewhere around the world. This malware is contained within a file called Cheat.Lab.2.7.2.zip, which, when unzipped, contains an MSI installer of the same name. This MSI installer then contains two executable files and a “text file” which actually contains Lua bytecode, which is compiled and run by the other two executables, which come from the Lua project, a lightweight programming language.

infection chain stealer malware being distributed through cheat software

When run, the MSI also runs a user interface to install Cheat Lab, which prompts users to send the software to their friends. As amusing as that is, the malware then drops several files to disk and sets up persistence. Once this is complete, the malware contacts the Redline C2 network and begins communicating over HTTP. In the researcher’s case, they saw the malware trying to grab screenshots, but what the malware is capable of is not limited to that.

What is interesting about all of this is that this malware lived in Microsoft’s official GitHub account under vcpkg. Thankfully, it has since been taken down from the repository, but it would be interesting to know how it got there in the first place. However, those details are not available through the research. In any event, all this shows that cheaters never prosper, and you never know when you might be downloading malware.