Cybercriminals have launched a deceptive malware campaign using a fake game cheat software known as “Cheat Lab” to spread the infostealer malware, Redline. Disguised as a game enhancement tool, this malware entices users to share it with friends for a “free, fully licensed copy,” effectively broadening its reach through social manipulation.
This malware variant, which McAfee threat researchers have linked to the notorious Redline, is distributed via ZIP files containing deceptive MSI installers. Once executed, these installers release a payload that includes a compiler and a DLL file essential for running malicious Lua bytecode scripts. This strategy allows the malware to inject itself into legitimate processes and escape detection.
Interestingly, the Lua bytecode utilized here leverages Just-In-Time (JIT) compilation, enhancing performance while remaining stealthy. It avoids traditional executable formats, instead opting for uncompiled bytecode that is later compiled on the victim’s machine, further evading detection.
The malware sets up persistence by scheduling tasks that activate on system startup and replicates itself in obscure system directories. Upon activation, it communicates with a command and control server, sending system information and screenshots, and awaits further malicious instructions.
Although distributed through platforms like GitHub, which might appear safe, this campaign underscores the risks associated with downloading unsigned software from any source. Users are advised to remain vigilant, scrutinizing the authenticity of downloadable files to prevent such stealthy malware infections.