Picture this: Malware Hides in Steam Profile Images

[harlan4096]

SteamHide abuses the gaming platform Steam to serve payloads for malware downloaders. Malware operators can also update already infected machines by adding new profile images to Steam. The developers seem to have a few more ambitious goals.

Suspicious steam profile images

Researcher @miltinhoc tweeted in May 2021 about new malware[1][2] that uses Steam profile images to hide itself inside them.

The low quality image (see picture below) shows three frames of the "white guy blinking" meme alongside the words January, a black screen, and September. The image content itself does not seem to make sense.

Common online EXIF tools don't show anything interesting about the image except for a warning that the length of the ICC profile data is not valid. That's because instead of an ICC profile the malware is placed in encrypted form inside the PropertyTagICCProfile value. The ICC profile's purpose is to map colors correctly for output devices like printers.

Implications and Affected Users

While hiding malware in an image file's metadata is not a new phenomenon, using a gaming platform such as Steam is previously unheard of. From attacker's point of view, this approach makes sense: Replacing the malware is as easy as just replacing a profile image file. There is also a huge number of legitimate accounts - and blocklisting the Steam platform outright would have many undesired side effects.

It should be noted that in order to become a target for this method, no installation of Steam - or any other game platform - is required. The Steam platform merely serves as a vehicle which hosts the malicious file. The heavy lifting in the shape of downloading, unpacking and executing the malicious payload is handled by an external component which just accesses the profile image on one Steam profile. This payload can be distributed by the usual means, from crafted emails to compromised websites.

The Steam profile image is neither infectious nor executable. It serves as carrier for the actual malware[2]. It needs a second malware[1] to be extracted.

This second malware sample[1] is a downloader. It has the hardcoded password "{PjlD\\bzxS#;8@\\x.3JT&<4^MsTqE0" and uses TripleDES to decrypt the payload from the image.

I found newer samples[3][4] of this malware via Virustotal retrohunt. The downloader uses a different Steam profile but the very same technique to hide malware in images. Below is the output of another online EXIF extraction tool.

Payload Functionality

The sample first queries Win32_DiskDrive for VMWare and VBox and terminates if any of those exist.

It will then check if it has administrator rights and attempt privilege escalation via cmstp.exe

On the first run it copies itself to the LOCALAPPDATA folder using the name and extension specified in the configuration. In sample[2] the filename is uNoFGmsEX.txt

SteamHide persists itself by creating the following key in the registry: \Software\Microsoft\Windows\CurrentVersion\Run\BroMal

The mutex is named Global\<GUID> were GUID is the globally unique identifier for a certain class in the malware.

SteamHides initial command-and-control server IP is saved in a specific pastebin paste.

The malware can update itself via a given Steam profile. Just like the downloader it will extract the executable from the PropertyTagICCProfile data in an image of the Steam profile. The configuration allows to change the ID for the image property and the search string to find the correct image on Steam. That means other image properties might be used in the future to hide malware on Steam.

The future of SteamHide

SteamHide currently lacks functionality and seems to be in active development. There are a few code segments in the binary that aren't used by now.

The malware checks if Teams is installed by looking for the existance of SquirrelTemp\SquirrelSetup.log, but there isn't anything done with this information. The method is called EnumerateVulnerable and possibly serves to check installed applications on the infected system, so they can be abused for exploits.

There is a method stub named ChangeHash(), but it is not implemented yet. It seems the malware developer plans to include polymorphism in future versions.

It has a CodePieceManager, which can compile source code to MSIL assemblies. It might be used to add functionality on the fly or to apply metamorphism.

Futhermore there is a method that allows sending Twitter requests, which might in the future enable the malware to either receive commands via Twitter or to act as a Twitter bot.

I am confident that we will see this malware emerge soon in the wild just like it happened with other in-development families that we covered, e.g., StrRAT, SectopRAT
...

Continue Reading