Hackers planted a Steam recreation with malware to steal avid gamers’ passwords

Final week, Valve eliminated a recreation from its on-line retailer Steam as a result of the product was laced with malware. 

After the removing of the sport, which was known as PirateFI, security researchers analyzed the malware and located that whoever planted it modified an present online game in an try to trick avid gamers into putting in an info-stealer known as Vidar.

Marius Genheimer, a researcher who analyzed the malware and works at SECUINFRA Falcon Crew, informed information.killnetswitch that judging by the command and management servers related to the malware and its configuration, “we suspect that PirateFi was simply certainly one of a number of ways used to distribute Vidar payloads en masse.”

“It’s extremely possible that it by no means was a authentic, working recreation that was altered after first publication,” mentioned Genheimer. 

In different phrases, PirateFI was designed to unfold malware. 

Genheimer and colleagues additionally discovered that PirateFi was constructed by modifying an present recreation template known as Simple Survival RPG, which payments itself as a game-making app that “provides you every part you want to develop your individual singleplayer or multiplayer” recreation. The sport maker prices between $399 and $1,099 to license. 

This explains how the hackers have been capable of ship a functioning online game with their malware with little effort. 

In line with Genheimer, the Vidar infostealing malware is able to stealing and exfiltrating a number of sorts of knowledge from the computer systems it infects, together with: passwords from the online browser autofill function, session cookies that can be utilized to log in as somebody with no need their password, net browser historical past, cryptocurrency pockets particulars, screenshots, and two-factor codes from sure token mills, in addition to different recordsdata on the particular person’s laptop. 

Vidar has been utilized in a number of hacking campaigns, together with one trying to steal Reserving.com’s lodge credentials, others with the objective of deploying ransomware, and one other effort to plant malicious ads on Google search outcomes. Throughout 2024, the Well being Sector Cybersecurity Coordination Middle (HC3) reported that Vidar, which was first found in 2018, has “grown to be one of the crucial profitable infostealers.”

Infostealers are widespread sorts of malware designed to steal info and knowledge from a sufferer’s laptop. Infostealers are sometimes bought within the malware-as-a-service mannequin, which means the malware may be bought and used even by hackers with little ability. This additionally makes figuring out who was behind PirateFI “very troublesome,” mentioned Genheimer, as Vidar “is broadly adopted by many cybercriminals.”

Genheimer mentioned they analyzed a number of samples of the malware included in PirateFI, one discovered on the malware on-line repository VirusTotal, which was apparently uploaded by a gamer in Russia; one other one they recognized by way of SteamDB, a web site that publishes details about video games hosted on Steam. The researchers discovered one other pattern in a risk intelligence database they’ve entry to. All three malware samples have the identical performance, based on Genheimer.

Valve didn’t reply to information.killnetswitch’s request for remark.

Seaworth Interactive, the purported builders of PirateFI, has no obvious on-line presence. Till final week, the sport had an X account, which has now been eliminated. The account included a hyperlink to the sport on Steam.

The homeowners of the account didn’t reply to a request to speak through Direct Message earlier than it was eliminated.