Analysing How Malware Is Hidden In Cheating Software

This is first blogpost of my amateur research of free cheating programs available on code sharing platforms. We can often find repositories which contain just an ad to the developer's websites where wannabe cheaters must pay before downloading anything. I check the repos where there the authors release small chunks of code as a method to deceive players who will actually become targets of Trojans.

I find free cheating software as a great source of malware samples, because one can be sure that cheaters will do anything to have any advantage over other players, including disabling antiviruses and other system protections. This way the malicious file won't be detected nor removed from the filesystem, moreover, it will be almost instantly opened.

Contents:

• Sample 1. AsyncRAT
• Repository
• Dropper
• Malware
• Sample 2. Dropper in SCR file
• Repository
• Dropper
• Malware
• Sample 3. Lumma Stealer
• Repository
• Malware
• Sample 4. RedLine Stealer
• Repository
• Dropper
• Malware
• Summary

Sample 1. AsyncRAT

Repository

This project was created at the beggining of May, so it's up for 2 months. It's constantly updated by a workflow script adding commits every 20 minutes which keeps the repo as high as possible in searches. The README file contains some proof-of-concept images and the code uses a lot of imported functionalites. Crucial logic stays in "driver" which is a spaghetti code and is not the main point of my review. There are no attempts of making the program look legit. I highly doubt that good anti-cheat software will allow it to run along with the game. 

Few fun facts:

• this program tries to detect and close debuggers, but since the code has to be build by a player before running, this function can be deleted anyway
• there was a comment indicating that the code was developed 2 months before release

Dropper

Dangerous code is hidden somewhere else though - I mean, there was an attempt of hiding it. Looking at the project configuration files we can notice "<Command>" XML tag. It's just one line, but 18k characters. Obviously I'm not showing all contents on purpose.

As name suggests, PreBuildEvent commands are executed before the build starts, therefore the result of the build has 0 effect on the concealed script. This implies that it's sufficient to try to build this program in order to get infected without actually using this cheat in the game.

Below is the decoded version. In lines 5 and 6 big chunks of base64-encoded code are replaced with <base64data> for clarity. I used following instructions in CyberChef:

1. URL Decode
2. From HTML Entity
3. Find / Replace (#xD;&#xA; to \n)
4. Add line numbers

The script.vbs file is created and each echo command puts another line of code to this file. The instructions indicate that the encoded data is another script which I will analyse later. We can observe that the script redirects decoded code to another file - decode.ps1 (lines 5-16), which is then executed in powershell (lines 17 and 18):

Set shell = CreateObject("WScript.Shell")

shell.Run "powershell.exe -ExecutionPolicy Bypass -File %TEMP%\script\decode.ps1", 0, True

From the Microsoft documentation:

The WScript object is the root object of the Windows Script Host object model hierarchy. It never needs to be instantiated before invoking its properties and methods, and it is always available from any script file.

WScript.Run runs an application taking 3 parameters: 

command = "powershell.exe (...)"

optional windows style = 0 (hide the window)

optional wait on return = True (Run method returns error code if there's any)

After execution the decode.ps1 file will be deleted. The rest of the script is a declaration of BinaryToScript function used ealier in decoding process, until the line 35 where finally the script.vbs file is executed with cscript.

Cscript starts a script to run in a command-line environment.

So at this point we have the following flow: 

1. user tries to build the application
2. the build process triggers pre-build events that will generate script.vbs file and execute it
3. script.vbs will contain instructions that will base64-decode provided data, put the plaintext data into a file and exeute it with powershell.

Let's check the decode.ps1 script. Inside we have another chunk of encoded data and a few powershell commands instructing that that the data should be reversed and base64-decoded. It is then executed in Invoke-Expression cmdlet. 

Plaintext data is 8458 characters long and I won't show all of it. Below is a high-level representation of the script. We can notice that it tries to download the malware in 3 different functions, which are almost the same with the biggest difference being different download URLs. Though, the file they try to download is the same - MicrosoftCorporation.7z. It's the 7Zip archive encrypted with a key provided as plaintext in the script.

function Install-GoodbyeDPI { 

// downloads GoodbyeDPI.7z

// opens the archive with 7Zip

// installs and executes the program

}

function Download-String {

// helper function that reads remote file from given URL

}

function Download-First {

// calls Download-String with the rentry.co domain

// opens the archive with 7Zip (produces .exe file)

// executes the downloaded program

// in case of any exception goes to Download-Github

{

function Download-Github {

// calls Download-String with the raw.githubusercontent.com domain which contains a line with encoded payload, the payload is loaded by the script, decoded, and decrypted with a key by calling Decrypt-WithBase64

// the line is another github URL hosting malware which is downloaded (the same github user but different repos)

// opens the archive with 7Zip (produces .exe file)

// executes the downloaded program

// in case of any exception goes to Download-V3

}

function Decrypt-WithBase64 {

// simple custom decryption function explained further below

}

function Download-File {

// downloads file passed in parameters

// opens the archive with 7Zip

// executes the downloaded program

}

function Download-V3 {

// same as Download-First but different domain of the remote file - text.is

// in case of any exception goes to Paste-FO

}

function Paste-FO {

// same as Download-Github but different domains of the remote files - paste.fo and cdn.gilcdn.com

}

// EXECUTION STARTS HERE

Downloading 7Zip in case it's missing

Declaration of the function CheckAdmin

In case CheckAdmin returns true, Install-GoodbyeDPI is called

Download-First is called

The Decrypt-WithBase64 function's code is below. We can observe that the operations used are very simple and there is no attempt to use any cryptographic functions.

The same function can be rewritten in python in order to get the encrypted URL:

This script is already analyzed in virus total: link 

Malware

As mentioned ealier, the file MicrosoftCorporation.7z is encrypted with a password provided as plaintext in the code.

The .exe file is instantly flagged as Trojan with a high virus total score 54/73: link

From Malpedia:

AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.

Summing up:  This sample has implemented few CTF-like protections against suspicious eyes of the cheaters looking for a fast and simple cheating software. The main objective of the analysis was focused on decrypting the URLs which store encrypted malware. Techniques used:

• Dropper concealed in config file
• Base64 encoding
• String concatenation
• Decompressing files with 7Zip
• Simple decrypting
• Using plaintext passwords

Sample 2. Dropper in SCR file

Repository

By accident or not I came across another repository created by the same individual as with Sample 1. This connection is not obvious for players looking only for cheats, but there was a lot of indicators for the analyst. The repo looks like this:

It also contains a file which receives commits every 20 minutes and the workflow file is the same as previously. The difference in application code makes me certain that everything in this and other repositories is stolen except for the dropper payloads. This repo is newer, created at the end of June, and is better prepared to attract the audience:

Malware

There is no need to review the code as the malicious file clearly stands out:

The file tries to hide under Solution file extension .sln, but after downloading it we can see .src extension indicating screensaver filetype which is known to be used in malware campaigns. SRC files are executable by design posing the same risk as usual EXE files. Downloading the "Evo Resources..sln" file the browser immadiately flags it as suspicious.

We can see that the publisher has been tampered to Microsoft Corporation. I downloaded directly this file but downloading the source code of the repository in .zip probably doesn't trigger the error, however, Defender instantly recognized and deleted it. I'm not sure how and if this file would be triggered by Visual Studio, I see no use cases other than manually clicking on the file, but also there is no motivator to do it in README for example. There was no obfuscation or further concealing, which is disappointing. Virus total link.

Analysing the file with pestudio I noticed further similarities to the previous sample. Firstly, CompanyName is base64-encoded "by unknown" which I saw in several places ealier. 

Secondly, imports and strings revealed the same function names. Thirdly, virus total report revealed to me the same URLs used.

As there are limited imports in this executable, and the existing ones indicate the main functionality to be file operation and a bit of cryptography, I can conclude that this file is again only a dropper aimed to download and execute MicrosoftCorporation.7z.

Sample 3. Lumma Stealer

Repository

This repository was made under 10 minutes as it contains stolen code, stolen descriptions, and a malware not hidden at all. As in previous repos we can see several tags mentioning possible types of hacks, which have nothing in common with the reality. For this particular game, some of the hacks listed don't even exist in a paid software. The code is defective, because a lot of classes are missing. In this and other repositories I noticed the same pattern about copying files without any changes, which is revealed by image links in README.md files. These links refer to other, probably original cheat repositories, and some of them were already down, while the rest was still accessible with the same stolen README files. 

Malware

The Loader.exe file is just a plain Lumma Stealer, no hiding method was used here. A custom section of the PE header caught my attention, where a lot of plaintext strings was stored. However, I did not analyze this further.

From Malpedia: 

Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5". (...)

Sample 4. RedLine Stealer

Repository

The code base is made for a HWID Spoofer which is a type of software which changes Hardware ID (HWID). It is used when a cheater gets ban at a hardware level, meaning that on their PC the game can't be launched anymore from any account. Typically this type of ban is received after detection of cheating software, but I observe gaming industry slowly applying hardware ban as a punishment for repetetive or most unacceptable toxic behavior. Every cheater has to have good and updated HWID Spoofer at hand, as otherwise they would be banned from every game until they buy a new PC. 

I was lucky to find this repo just few hours after its creation. We download Loader.rar.

Dropper

The executable file is double archived. We can see that the dates were not tampered and the files were created hours before uploading.

I instantly check Loader.exe in PEstudio, and to my surprise, the sample was unknown in virus total and there were only few possible indicators.

However, there was one obvious thing in retrieved strings:

After decoding:

This command is an instruction to download a file from the remote server and execute it. Let's see the file.

Malware

Again, the file dev.exe was unknown to virus total. After analyzing it, we get a lot of malware indicators, which can be normal for a cheat, but for a HWID Spoofer the imports were kind of unusual. 

Online analysis (link) reveal typical trojan behavior and its family being Redline.

From Malpedia: 

RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. (...)

Summary

This kind of research is a fun way to get to know latest malware and phising techniques used on a specific clientele. These samples did not have sophisticated concealing methods, but likely there are some repos out there where I missed something that isn't obvious. Adding a dynamic analysis would be definitely a good idea for some of the executables.

I'm strongly against cheating in competetive games, but I'm not a fan of putting trojans on cheaters computer either. This procedure won't stop in near time, as the cheaters are very easy target and they will even harm own computer in order to win more internet points.

I'm determined to check out Arduino cheats next 😏

Thanks for reading!