• Posted by: Michael Johnson
• October 09, 2024

Fake Game Cheats Trick Users into Downloading Lua-Based Malware

Gamers searching for cheats are being lured into downloading Lua-based malware that can persist on infected systems and deliver additional payloads. The malware targets users searching for gaming cheat engines like Solara and Electron, often spreading through GitHub-hosted ZIP files.

According to Morphisec researcher Shmuel Uzan, this malware campaign is prevalent across multiple regions, including North and South America, Europe, Asia, and Australia. First documented by OALabs in March 2024, the malware exploits GitHub to stage malicious payloads.

McAfee Labs reported that threat actors were using the same technique to deliver a variant of the RedLine information stealer by hosting malware within legitimate Microsoft repositories. GitHub acted swiftly, disabling the malicious content in compliance with its Acceptable Use Policies.

In this evolving campaign, the attackers have shifted to delivering malware using obfuscated Lua scripts, which helps avoid detection. Despite the change in delivery, the infection chain remains largely the same. Users searching for cheats are led to fake websites, which host links to booby-trapped ZIP files containing a Lua compiler, runtime interpreter DLL, an obfuscated script, and a batch file. The batch file triggers the Lua script to establish communications with a command-and-control (C2) server, which can send commands to maintain persistence, hide processes, or download additional payloads like Redone Stealer or CypherIT Loader.

Info-stealing malware is becoming increasingly common, as the harvested credentials are sold on the dark web, feeding into more sophisticated attacks. RedLine has become a major player in this market.

The malware is distributed not only through fake game cheats but also through Telegram channels aimed at crypto investors, and comments on YouTube videos about cryptocurrency, cheats, and gambling. In addition to mining cryptocurrency, some variants of the malware can perform other malicious activities, such as replacing cryptocurrency wallet addresses and taking screenshots of infected systems.