‘Cheat Lab’ Tricks Gamers into Spreading Data-Stealing Malware

Gamers seeking a competitive edge through cheats may unwittingly become victims of a new cybersecurity threat. The malware poses as a premium game cheating tool and entices users with a seemingly harmless offer: convince your friends to install it and get a free copy. This tactic is designed to spread the infostealer among unsuspecting gamers.

Malware Disguised as a Game Cheat

The cybersecurity team at McAfee has discovered a cunning new variant of Redline, a well-known malware that steals everything from passwords and autofill data to cryptocurrency wallet details from unaware victims. The new threat operates under the guise of helping gamers cheat. However, its real purpose is far more sinister.

This malicious program is cleverly disguised as demos for cheating tools named ‘Cheat Lab’ and ‘Cheater Pro.’ These demos are hosted through URLs linked to Microsoft’s ‘vcpkg’ GitHub repository, which makes the scam seem more credible. Once downloaded and executed, these supposed cheat demos install dangerous software that can severely compromise user data.

How Does it Work?

The malware is hidden within ZIP files that, when executed, reveal an MSI installer. This installer then deploys two critical files (compiler.exe and lua51.dll) along with a ‘readme.txt’ file that carries the harmful Lua bytecode.

Victims are lured into spreading the malware further with the promise of unlocking a full version of the cheat tool if they share it with friends. They are even given an activation key to make the offer seem more legitimate. 

Cheat Lab Installation prompt (Source: McAfee)

What makes this malware particularly elusive is its deployment method. Instead of coming as a standard executable file, it is delivered as uncompiled bytecode. The included compiler.exe file then compiles this bytecode and executes it, establishing multiple scheduled tasks to ensure it remains running even after the system reboots.

Additionally, McAfee has discovered that the malware copies its files to a random directory within the program data folder to avoid detection and maintain persistence on the infected machine. This setup allows it to stealthily monitor user activities and communicate with a remote server, where it waits for further malicious instructions.

How to Stay Safe

The origin of the infection remains unclear, but the methods could include malicious ads, misleading YouTube video links, peer-to-peer sharing, and dubious download websites. To stay safe, users are advised to do the following:

• Be wary of downloading and running unsigned executables from unknown sources.
  
• Use antivirus and anti-malware solutions with real-time protection to detect and prevent malicious attacks.
  
• Enable your web browser’s phishing and malware protection settings to block suspicious sites.
  
• Regularly update your software and operating system to ensure you have the latest security patches.

By following these guidelines, you can significantly reduce your risk of falling victim to malware infections like the one disguised as the “Cheat Lab” cheat tool. 

Final Word

This incident highlights the risks of downloading software from trusted platforms like GitHub, which can be exploited by cybercriminals to distribute malware disguised as legitimate applications such as ‘Cheat Lab’ and ‘Cheater Pro.’ Even on well-known sites, users must remain vigilant and skeptical of offers that seem too good to be true.