Hand reaching through a computer screen

A new info-stealing malware linked to Redline poses as a game cheat called 'Cheat Lab,' promising downloaders a free copy if they convince their friends to install it too.

Redline is a powerful information-stealing malware capable of harvesting sensitive information from infected computers, including passwords, cookies, autofill information, and cryptocurrency wallet information.

The malware is very popular among cybercriminals and is spread worldwide using diverse distribution channels.

Redline victims heatmap
Redline victims heatmap
(McAfee)

McAfee threat researchers reported that the new information stealer leverages Lua bytecode to evade detection, allowing the malware to inject into legitimate processes for stealth and also take advantage of Just-In-Time (JIT) compilation performance.

The researchers link this variant to Redline as it uses a command and control server previously associated with the malware. 

However, according to BleepingComputer's tests, the malware does not exhibit behavior typically associated with Redline, such as stealing browser information, saving passwords, and cookies.

Wants you to infect your friends too!

The malicious Redline payloads impersonate demos of cheating tools called "Cheat Lab" and "Cheater Pro" through URLs linked to Microsoft's 'vcpkg' GitHub repository.

The malware is distributed as ZIP files containing an MSI installer that unpacks two files, compiler.exe and lua51.dll, when launched. It also drops a 'readme.txt' file containing the malicious Lua bytecode.

The fake CheatLab installer
The fake CheatLab installer
Source:McAfee

This campaign uses an interesting lure to further distribute the malware by telling victims they can get a free, fully licensed copy of the cheating program if they convince their friends to install it, too.

The message also contains an activation key for added legitimacy.

"To unlock the complete version, simply share this program with your friend. Once you do that, the program will automatically unlock," reads the installation prompt shown below.

Prompt to spread the malware
Prompt to spread the malware
Source:McAfee

To evade detection, the malware payload is not distributed as an executable but rather as uncompiled bytecode.

When installed, the compiler.exe program compiles the Lua bytecode stored in the readme.txt file and executes it. The same executable also sets up persistence by creating scheduled tasks that execute during system startup.

McAfee reports that the malware uses a fallback mechanism for persistence, copying the three files to a long random path under program data.

Infection diagram
Infection diagram
Source:McAfee

Once active on the infected system, the malware communicates with a C2 server, sending screenshots of the active windows and system information and waiting for commands to execute on the host.

The exact method used for initial infection hasn't been determined, but information-stealers are typically spread via malvertising, YouTube video descriptions, P2P downloads, and deceptive software download sites.

Users are advised to avoid unsigned executables and files downloaded from shady websites.

This attack shows that even installing programs from seemingly trustworthy locations like Microsoft's GitHub can set people up for a Redline infection.

BleepingComputer contacted Microsoft about the executables distributed through its GitHub URLs but did not receive a response by the time of publication.

Update 4/20: McAfee confirmed to BleepingComputer that it has informed Microsoft of the abuse.

McAfee is in direct communication with the Microsoft Security Response Team. - McAfee spokesperson

Related Articles:

New Unfurling Hemlock threat actor floods systems with malware

Fake Google Chrome errors trick you into running malicious PowerShell scripts

Fake IT support sites push malicious PowerShell scripts as Windows fixes

Snowblind malware abuses Android security feature to bypass security

New Medusa malware variants target Android users in seven countries