Last month, a cybersecurity researcher tweeted about SteamHide, a new malware that conceals itself inside Steam profile pictures.

steamhide malware

Source

Cybersecurity specialists believe that the SteamHide emerging-malware hiding inside profile images on the Steam gaming platform is being developed for an extensive operation.

According to G Data specialists, the Steam platform acts only as an agent which hosts the malicious file.

 The heavy lifting in the shape of downloading, unpacking, and executing a malicious payload fetched by the loader is handled by an external component, which accesses the malicious profile image on one Steam profile. This external payload can be distributed via crafted emails to compromised websites.

Source

In a recent disclosure report, G Data analyst Karsteen Hahn stated that concealing malware in a picture file’s metadata is not a new practice, but using a gaming platform such as Steam is quite unique.

Threat actors hide their malware in harmless images frequently published online such as memes like “blinking white guy” used in the G Data analysis example.

white guy blingking malware image

Source

How Does SteamHide Work?

The virus can update itself through a specified Steam profile. Just like the downloader, it will extract the executable from the PropertyTagICCProfile data in a picture of the Steam profile. The configuration enables modification of the ID for the image property and the search string to find the correct image on Steam. That means other image properties might be utilized later to conceal malware on Steam.

Those who fall victims to this profile image scam don’t even have to be on Steam or have any gaming platform installed, the virus can easily be updated by only uploading a new profile picture.

The researchers found that immediately after the execution, the malware terminates any security defenses and checks for administration rights, then copies itself to “LOCALAPPDATA” folder and persists by creating a key in a registry that G Data recognized as  “\Software\Microsoft\Windows\CurrentVersion\Run\BroMal”.

There’s also a method stub named “ChangeHash” that shows developers are working on increasingly elaborate iterations of the existing malware, and an instrument that authorizes the malware to send and receive commands over Twitter.

At the moment, the malware seems to be missing some functionalities and is being actively developed. There are a few code segments in the binary that aren’t used by now.

I am confident that we will see this malware emerge soon in the wild just like it happened with other in-development families that we covered, e.g., StrRAT and SectopRAT.

Source

We can’t say how easy this malware would be to root out. Steam’s most recent data showed the platform has more than 20 million users playing some of the most popular games: Counter-Strike: Global Offensive, Dota 2, and Apex Legends.

cybersecurity for gamers concept photo
2019.07.02 SLOW READ

Cybersecurity for Gamers 101: Gaming Malware and Online Risks

Fake online profiles
2017.03.06 SLOW READ

Beware of Scams Using Fake Facebook Profiles

twitter security
2016.06.01 INTERMEDIATE READ

Here’s How to Strengthen Your Twitter Security and Privacy in 10 Steps

A New Era of Malware Attacks
2014.11.04 QUICK READ

BEWARE: A New Era of Malware Attacks is Arising

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP