Fake Cheat Software Tricks Gamers into Spreading Malware

By Ava McKinneyOnline Safety

Fake Cheat Software Tricks Gamers into Spreading Malware

Security analysts at McAfee have discovered a new malware strain linked to the Redline infostealer, which disguises itself as demo versions of cheating software. Interestingly, the malware’s creators offer users a full, free copy of this “cheat software” if they can convince their friends to install it as well—effectively turning victims into unwitting distributors of the malware.

How the Malware Works

Researchers report that this new infostealer uses Lua bytecode to evade detection, allowing it to inject itself into legitimate processes and take advantage of JIT compilation. Experts associate this stealer with Redline because it uses a command-and-control server previously linked to that malware. However, according to Bleeping Computer, the new malware does not display typical Redline behavior, such as stealing browser data, saved passwords, or cookies.

The malicious payloads in this Redline variant pose as demo versions of cheat tools like Cheat Lab and Cheater Pro, using URLs associated with Microsoft’s vcpkg GitHub repository.

Infection Method

The malware is distributed as ZIP files containing an MSI installer. When launched, the installer unpacks two files—compiler.exe and lua51.dll. It also includes a readme.txt file containing the malicious Lua bytecode.

As mentioned above, a unique aspect of this campaign is its use of an unusual lure: victims are promised the full version of the cheat tool if they persuade their friends to install it. To make the offer more convincing, the message even includes an activation key.

“To unlock the full version, simply share this program with your friend. Once you do, the program will activate automatically,” the attackers write.

Stealth Techniques and Persistence

To avoid detection, the malware payload is distributed as uncompiled bytecode rather than an executable file. During installation, compiler.exe compiles the Lua bytecode from readme.txt and runs it. This file also ensures persistence by creating scheduled tasks that execute every time the system starts.

McAfee specialists also note that, for added resilience, the malware uses a backup mechanism by copying three files to a long, randomly generated path.

Attack Chain Overview

Once activated on an infected system, the malware connects to its command-and-control server, sending screenshots of active windows and system information, then waits for further commands to execute on the host.

The exact distribution method for this Redline variant is still unknown, but similar infostealers are often spread through malicious ads, YouTube video descriptions, P2P downloads, and fraudulent software download sites.

Source

Onion Market – a free P2P exchange on Telegram.

Leave a Reply