RedLine Stealer Disguised as Game Cheats on GitHub

Gamers, beware! A cunning new variant of the notorious RedLine Stealer malware has emerged, leveraging Lua bytecode for added stealth and targeting unsuspecting players with promises of game cheats. This information stealer, identified by McAfee Labs, hides within ZIP archives masquerading as legitimate game enhancement tools, exploiting the trust associated with popular repositories like GitHub.

RedLine Stealer, first documented in 2020, typically spreads through email and malicious advertising campaigns. It's adept at harvesting sensitive data from cryptocurrency wallets, VPN software, and web browsers, including saved credentials, autocomplete information, credit card details, and even victim locations based on IP addresses. Over the years, RedLine has become a prevalent threat across the globe, employed by various cybercriminals in their attacks.

This latest variant takes a more sophisticated approach. The attackers cleverly weaponized the trust associated with Microsoft's official GitHub repositories for the C++ Standard Library (STL) and vcpkg. Shockingly, these repositories briefly hosted ZIP archives containing the malware, disguised as "Cheat.Lab.2.7.2.zip" and "Cheater.Pro.1.6.0.zip". Thankfully, these malicious files are no longer available for download.

The method used to upload the malware remains a mystery. However, this incident highlights the growing trend of attackers exploiting trusted platforms to distribute malware. The ZIP archives themselves masquerade as enticing game cheats, likely targeting eager gamers. Inside, an MSI installer lurks, designed to execute the malicious Lua bytecode.

This Lua bytecode approach serves two purposes. Firstly, it obfuscates malicious code, making it harder to detect by traditional security measures. Traditional scripts like wscript, JScript, or PowerShell are avoided, further enhancing the malware's ability to evade detection. Researchers Mohansundaram M. and Neil Tyagi explain: "This approach provides the advantage of obfuscating malicious stings and avoiding the use of easily recognizable scripts."

Secondly, the malware attempts to spread further by displaying a message urging the victim to share the "game cheat" with friends to unlock its full potential. This social engineering tactic aims to expand the reach of the malware and potentially ensnare more victims.

Once executed, the MSI installer initiates a series of actions to establish persistence on the infected system. It achieves this by setting up a scheduled task and dropping a CMD file. This CMD file then furtively runs a malicious executable disguised under another name.

Finally, this hidden executable ("NzUw.exe") establishes contact with a command-and-control (C2) server using HTTP. This C2 server, previously linked to RedLine Stealer activity, acts as the malware's control center.

The malware then transforms into a backdoor, capable of receiving tasks from the C2 server, such as taking screenshots, and exfiltrating stolen data back to the attackers.

The exact method of distributing links to these malicious ZIP archives remains unknown. However, this incident coincides with another recent discovery by Checkmarx. They revealed how attackers are manipulating GitHub's search functionality to lure users into downloading malware-laden repositories.

Furthermore, Recorded Future has documented a large-scale Russian cybercrime operation targeting the gaming community. This operation leverages fake Web3 gaming lures to distribute malware capable of stealing sensitive information from both Windows and macOS users. This technique, known as trap phishing, involves creating convincing imitations of legitimate Web3 gaming projects to trick unsuspecting users.

These developments highlight a concerning trend of cybercriminals increasingly targeting the gaming community. Gamers are often a lucrative target due to the valuable information they possess, including cryptocurrency wallets and online gaming accounts.

This RedLine Stealer variant also follows a recent wave of malware campaigns targeting enterprise environments. Loaders like PikaBot and a new strain called NewBot Loader have been observed employing diverse techniques and infection vectors to deliver malicious payloads.

McAfee has documented a phishing attack exploiting email conversation hijacking and a Microsoft Outlook flaw (CVE-2024-21413) to trick victims into downloading PikaBot malware from an SMB share.

These incidents underscore the ever-evolving threat landscape. Cybercriminals are constantly adapting and employing increasingly sophisticated tactics. Here are some crucial steps to stay safe:

Download from trusted sources only. Be cautious when downloading game cheats or any software, especially from unofficial repositories. Stick to reputable sources and verify the software's legitimacy before downloading.

Beware of social engineering tactics. Don't fall for promises of "free" or "unlocked" versions of software in exchange for sharing it with friends. This could be a trap leading to malware infection.

Maintain strong security practices. Keep your operating system and security software up to date. Utilize a robust antivirus solution and consider employing web filtering and firewall protection.

Be vigilant. If you encounter suspicious files.