A new info-stealing malware linked to Redline has been discovered by McAfee threat researchers. This malware poses as a game cheat called ‘Cheat Lab,’ promising users a free copy if they convince their friends to install it too.
Redline is a powerful information-stealing malware known for harvesting sensitive information like passwords, cookies, autofill data, and cryptocurrency wallet information. It is widely popular among cybercriminals and is spread worldwide through various distribution channels.
This new variant of the malware leverages Lua bytecode to evade detection, allowing it to inject into legitimate processes for stealth. Despite being linked to Redline through the use of a command and control server associated with the malware, BleepingComputer’s tests show that it does not exhibit typical Redline behavior.
The malicious payloads of this Redline variant impersonate demos of cheating tools through URLs linked to Microsoft’s ‘vcpkg’ GitHub repository. These payloads are distributed as ZIP files containing an MSI installer that unpacks two files and drops a ‘readme.txt’ file containing malicious Lua bytecode.
One unique aspect of this campaign is its tactic of encouraging victims to infect their friends in exchange for a free, fully licensed copy of the cheating program. The installation prompt includes an activation key for added legitimacy.
To avoid detection, the malware is distributed as uncompiled bytecode. Once installed, the executable sets up persistence by creating scheduled tasks that execute during system startup.
Users are advised to avoid unsigned executables and files downloaded from suspicious websites to prevent falling victim to such attacks, even from seemingly reputable sources like Microsoft’s GitHub. BleepingComputer reached out to Microsoft for comment but did not receive a response at the time of publication.
