Deceptive Gaming Cheats Coerce Gamers to Spread Malware

Analysts at McAfee have discovered a new malware linked to the Redline infostealer, which is disguised as demo versions of cheat software. Interestingly, the malware authors offer users a full free copy of this “cheat software” if they can convince their friends to also install it (in reality, spreading malware).

Researchers explain that the new infostealer uses Lua bytecode to evade detection, allowing it to inject into legitimate processes and take advantage of JIT compilation.

Experts associate this stealer with Redline as it uses a command-and-control server previously associated with this malware. However, Bleeping Computer notes that the new malware does not exhibit typical Redline behavior (such as stealing browser information, saved passwords, and cookies).

The malicious payloads of this Redline variant masquerade as demo versions of cheat tools Cheat Lab and Cheater Pro, using URLs associated with Microsoft’s GitHub vcpkg repository.

The malware spreads in the form of ZIP files containing an MSI installer that unpacks two files upon execution — compiler.exe and lua51.dll. Additionally, a readme.txt file containing malicious Lua bytecode is included.

As mentioned earlier, a notable feature of this campaign is the use of an unusual lure: victims are offered the full version of the cheat tool if they persuade their friends to install it. To add credibility, the message even contains an activation key.

“To unlock the full version, simply share this program with your friend. Once you do that, the program will activate automatically,” write the malicious actors.

To evade detection, the malware payload is distributed not as an executable file but as uncompiled bytecode. Upon installation, the compiler.exe program compiles the Lua bytecode contained in the readme.txt file and executes it. This file also ensures persistence by creating scheduled tasks that run each time the system starts.

McAfee specialists also mention that for added resilience, the malware employs a backup mechanism by copying three files to a long random path.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment