Researchers discovered a new Redline campaign targeting gamers with promises of free copies of a game cheat software called Cheat Lab. Redline is an information-stealing malware capable of acting as a backdoor, carrying out tasks from the command-and-control (C2) server, and exfiltrating data. Redline drops several files to disk to establish persistence and capture screenshots. Once downloaded, a “Cheat.Lab.2.7.2.zip” file is created, which contains the MSI installer with the same naming convention as the ZIP file. If the MSI installer is launched, two executables and a “readme.txt” file are unpacked onto the device. The text file contains Lua bytecode, compiled and run by the two executables during installation.

To encourage victims to spread the malware unknowingly, Cheat Lab states that users can unlock the free full version of the software by sharing it with a friend. An activation key is offered to give a sense of legitimacy.

The Cheat Lab Redline Lua malware loader was found to be distributed through Microsoft’s GitHub vcpkg repository. The file was not part of the repository itself but was uploaded as a comment on an issue of the project. Threat actors exploited a flaw in which GitHub automatically uploads files attached to comments to GitHub’s content delivery network (CDN). The URLs generated for these files include the repository’s name, which gives the appearance of being associated with the project. These URLs are created even if the comment has not been posted and will remain after the comment is deleted. Researchers confirmed that GitLab’s comments can also be used to upload potentially malicious files using the CDN. Microsoft has removed these files from their repositories.

A similar campaign was discovered in which a new GitHub account was created to impersonate an established account. The benign repository was cloned and uploaded to the new malicious account. The impersonating account made thousands of empty commits to give the appearance of being the main contributor. In this attack, a link to the malicious ZIP file was created when the threat actors uploaded a file to a comment of the original GitHub repository.

Recommendations

• Avoid unsigned executables and files downloaded from unverified websites.
• Exercise caution with links found in comments, even if they may appear to originate
  from legitimate sources.
• Cyber incidents can be reported to the FBI’s IC3 and NJCCIC.

For any further questions, contact us here at Cyber Command.