Steamhide malware in the wild

[Lakados]

https://heimdalsecurity.com/blog/watch-out-emerging-malware-is-skulking-in-steam-profile-pictures/

TLDR:

Threat actors hide their malware in harmless images frequently published online such as memes like “blinking white guy” used in the G Data analysis example.
The virus can update itself through a specified Steam profile. Just like the downloader, it will extract the executable from the PropertyTagICCProfile data in a picture of the Steam profile.
The researchers found that immediately after the execution, the malware terminates any security defenses and checks for administration rights, then copies itself to “LOCALAPPDATA” folder and persists by creating a key in a registry that G Data recognized as “\Software\Microsoft\Windows\CurrentVersion\Run\BroMal”.

 

[TheBuzzer]

So based on this it is just used for hosting a malware somewhere.

It uses javascript to decode the file to write the malware into a file somewhere.

Not even sure why javascript allows for writing an exe file to some folder and than running it.



I guess the main point is for virus scanners have more of a hard time finding the malware in a code

 

[Lakados]

So based on this it is just used for hosting a malware somewhere.

It uses javascript to decode the file to write the malware into a file somewhere.

Not even sure why javascript allows for writing an exe file to some folder and than running it.



I guess the main point is for virus scanners have more of a hard time finding the malware in a code

Yeah, they believe that this was just a distribution method for a larger attack at a later date, the current stuff out there just updates and lays dormant waiting for the update that actually makes it do something. The type of code and how it's getting in isn't anything new but using a game distribution platform like Steam to host the updates and mask the traffic is completely new and more than a little disturbing.

 

[cybereality]

Pretty slick.

 

[OutOfPhase]

The researchers found that immediately after the execution, the malware terminates any security defenses and checks for administration rights

Doesn't sound like very good security defenses if that order of operations is correct.

And sure, if an admin account is compromised - <Hamilton: King George> "Good Luck!" <KG>

 

[ZodaEX]

This is why I have JavaScript disabled on the devices I use.

 

[M76]

This is why steam shouldn't host profile pictures directly but re-encode them at upload. That would defeat any attempt at hiding code inside it.