Steam Game Malware: Hackers Steal Passwords
Malware-Laced Game Removed from Steam
Valve recently took action by removing a game, PirateFi, from its digital distribution platform, Steam, due to the discovery of embedded malware.
Malware Analysis and Vidar Infostealer
Following the game’s removal, security researchers conducted a thorough analysis of the malicious code. Their investigation revealed that the perpetrators had modified an existing game to distribute an information-stealing malware known as Vidar.
Marius Genheimer, a researcher with SECUINFRA Falcon Team, indicated to TechCrunch that the command and control infrastructure associated with the malware suggests PirateFi may have been part of a larger campaign. He believes it was one of several methods employed to broadly disseminate Vidar payloads.
Genheimer further stated that it’s improbable the game began as a legitimate product that was subsequently compromised. Evidence points to PirateFi being intentionally designed for malware distribution.
Game Development Template Exploited
The researchers discovered that PirateFi was constructed using a modified game template called Easy Survival RPG.
This template is marketed as a comprehensive game development tool, enabling the creation of both single-player and multiplayer games, and is licensed for between $399 and $1,099.
This explains how the attackers were able to package functioning malware within a seemingly legitimate video game with relative ease.
Vidar's Capabilities and Targets
The Vidar infostealer is capable of extracting a wide range of sensitive data from infected systems. This includes:
- Web browser autofill passwords
- Session cookies
- Web browsing history
- Cryptocurrency wallet information
- Screenshots
- Two-factor authentication codes
- Other files stored on the compromised computer
Vidar has been linked to numerous cyberattacks, including attempts to compromise Booking.com credentials, ransomware deployments, and the injection of malicious advertisements into Google search results.
The Health Sector Cybersecurity Coordination Center (HC3) has identified Vidar, first detected in 2018, as one of the most prevalent and successful infostealers currently in use.
The Rise of Infostealers
Infostealers represent a common category of malware focused on data theft. They are frequently offered as a “malware-as-a-service,” making them accessible to individuals with limited technical expertise.
This accessibility complicates the task of identifying the individuals responsible for deploying PirateFi, as Vidar is widely utilized by a diverse range of cybercriminals.
Malware Sample Analysis
Genheimer’s team analyzed multiple samples of the malware found within PirateFi.
One sample was located on VirusTotal, apparently uploaded by a gamer based in Russia. Another was identified through SteamDB, a resource for Steam game information. A third sample was found within a private threat intelligence database.
All three samples exhibited identical functionality, according to Genheimer.
Lack of Response and Developer Anonymity
Valve has not yet responded to inquiries from TechCrunch regarding this incident.
Seaworth Interactive, listed as the developers of PirateFi, maintains no discernible online presence. The game’s X (formerly Twitter) account, which previously linked to the Steam page, has been removed.
Attempts to contact the account owners via Direct Message prior to its removal were unsuccessful.
