Forget Boss Battles, RedLine Malware Aims To Defeat Gamers With Fake Cheats
Earlier this week, McAfee researchers discovered a packed variant of the Redline Stealer trojan becoming highly prevalent in the United States, Mexico, and elsewhere around the world. This malware is contained within a file called Cheat.Lab.2.7.2.zip, which, when unzipped, contains an MSI installer of the same name. This MSI installer then contains two executable files and a “text file” which actually contains Lua bytecode, which is compiled and run by the other two executables, which come from the Lua project, a lightweight programming language.
When run, the MSI also runs a user interface to install Cheat Lab, which prompts users to send the software to their friends. As amusing as that is, the malware then drops several files to disk and sets up persistence. Once this is complete, the malware contacts the Redline C2 network and begins communicating over HTTP. In the researcher’s case, they saw the malware trying to grab screenshots, but what the malware is capable of is not limited to that.
What is interesting about all of this is that this malware lived in Microsoft’s official GitHub account under vcpkg. Thankfully, it has since been taken down from the repository, but it would be interesting to know how it got there in the first place. However, those details are not available through the research. In any event, all this shows that cheaters never prosper, and you never know when you might be downloading malware.