[BreachExchange] This Malware that Uses Steam Profile Images to Hide Itself
Sophia Kingsbury
sophia.kingsbury at riskbasedsecurity.com
Wed Jun 9 17:07:47 EDT 2021
https://www.ehackingnews.com/2021/06/this-malware-that-uses-steam-profile.html
In May 2021, a researcher tweeted about a new malware that hides itself
inside Steam profile photos. Except for a warning that the length of the
ICC profile data is not acceptable, common online EXIF tools don't provide
anything significant about the image. Because the malware is stored in
encrypted form inside the PropertyTagICCProfile value instead of an ICC
profile. The goal of an ICC profile is to appropriately map colours for
output devices like printers.
Valve's Steam is a video game digital distribution platform. In September
2003, it was released as a separate software client as a mechanism for
Valve to give automatic updates for their games, and it was later expanded
to include games from third-party publishers. Digital rights management
(DRM), server hosting, video streaming, and social networking services are
all available through Steam. It also includes community features such as
friends lists and groups, cloud storage, and in-game voice and chat
functions, as well as game installation and automatic updates.
While concealing malware in the metadata of an image file is not a novel
concept, leveraging a gaming platform like Steam has never been done
before. This strategy makes sense from the attacker's perspective: It's as
simple as updating a profile image file to remove the infection. There are
also a lot of valid accounts, and blacklisting the Steam platform would
have a lot of unintended consequences.
It should be emphasised that no installation of Steam – or any other game
platform – is required to become a target for this strategy. The Steam
platform only acts as a medium for the malicious file to be distributed.
An external component, which only sees the profile image on one Steam
profile, does the hard lifting in terms of downloading, unpacking, and
executing the malicious payload. This payload can be transmitted by a
variety of methods, including manipulated emails and infected websites.
The Steam profile image is neither contagious or executable in any way. It
acts as a vehicle for the malware itself. It requires the extraction of a
second malware. This malware sample's second component is a downloader. It
uses TripleDES to decode the payload from the picture and has the password
"PjlDbzxS#;8 at x.3JT&4MsTqE0" hardcoded.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210609/4fc64e40/attachment.html>
More information about the BreachExchange
mailing list