A researcher Karsten Hahn from German cybersecurity company GData has analyzed a new malware SteamHide that abuses the gaming platform Steam to serve malware downloads by hiding them in profile images. It lets operators update already infected machines by creating new profile images.
It was researcher @miltinhoc who in May first alerted about this new type of malware that uses steam profile images to hide itself.
Most EXIF tools show only a warning about the length of the encrypted ICC profile data. That’s because the malware’s author put their payload in an encrypted form inside the PropertyTagICCProfile value.
While it’s not a new technique, hiding malware in an image file on Steam gaming platform is unknown. For the attacker, this is an easy approach, as they can easily update the malware by just replacing a profile image file.
This method doesn’t require installing Steam, it works by creating a malicious file that automatically hosts it on the Steam platform.
The payload is executed by an external component which simply downloads and unpacks the malicious code. This component can be distributed through email or crafted websites.
The Steam profile image is not infected nor executable. Instead, it serves as a carrier for the actual malware. It needs a second sample – a downloader – to be extracted.
“The sample first queries Win32_DiskDrive for VMWare and VBox and terminates if any of those exist. It will then check if it has administrator rights and attempt privilege escalation via cmstp.exe. On the first run it copies itself to the LOCALAPPDATA folder using the name and extension specified in the configuration. In sample the filename is uNoFGmsEX.txt,” Karsten Hahn of GData said.
The malware can update itself by extracting the .exe file from the PropertyTagICCProfile Data. Just like the downloader, it will extract the .exe from the image of the Steam profile.
The researcher thinks SteamHide’s author plans to include polymorphism in future versions of the malware as well as metamorphism, as it has a CodePieceManager for compiling source code to MSIL assemblies.
There is a method that enables malware to send Twitter requests. This method could allow the malware to act as a Twitter bot.
SteamHide is currently not working, but seems to be in active development. The researcher is confident that this malware will emerge soon in the wild. Just like with other in-development families, it will be able to infect almost any device.