Hackers planted a Steam recreation with malware to steal avid gamers’ passwords

Final week, Valve eliminated a recreation from its on-line retailer Steam as a result of the product was laced with malware. 

After the elimination of the sport, which was referred to as PirateFI, safety researchers analyzed the malware and located that whoever planted it modified an current online game in an try and trick avid gamers into putting in an info-stealer referred to as Vidar.

Marius Genheimer, a researcher who analyzed the malware and works at Falcon Workforce, instructed TechCrunch that judging by the command and management servers related to the malware and its configuration, “we suspect that PirateFi was simply certainly one of a number of techniques used to distribute Vidar payloads en masse.”

“It’s extremely probably that it by no means was a professional, working recreation that was altered after first publication,” mentioned Genheimer. 

In different phrases, PirateFI was designed to unfold malware. 

Genheimer and colleagues additionally discovered that PirateFi was constructed by modifying an current recreation template referred to as Straightforward Survival RPG, which payments itself as a game-making app that “provides you all the things you have to develop your individual singleplayer or multiplayer” recreation. The sport maker prices between $399 and $1,099 to license. 

This explains how the hackers have been in a position to ship a functioning online game with their malware with little effort. 

In accordance with Genheimer, the Vidar infostealing malware is able to stealing and exfiltrating a number of sorts of knowledge from the computer systems it infects, together with: passwords from the online browser autofill characteristic, session cookies that can be utilized to log in as somebody while not having their password, net browser historical past, cryptocurrency pockets particulars, screenshots, and two-factor codes from sure token turbines, in addition to different recordsdata on the individual’s pc. 

Vidar has been utilized in a number of hacking campaigns, together with one trying to steal Reserving.com’s lodge credentials, others with the purpose of deploying ransomware, and one other effort to plant malicious commercials on Google search outcomes. Throughout 2024, the Well being Sector Cybersecurity Coordination Middle (HC3) reported that Vidar, which was first found in 2018, has “grown to be probably the most profitable infostealers.”

Infostealers are frequent sorts of malware designed to steal info and knowledge from a sufferer’s pc. Infostealers are sometimes bought within the malware-as-a-service mannequin, which means the malware could be bought and used even by hackers with little ability. This additionally makes figuring out who was behind PirateFI “very troublesome,” mentioned Genheimer, as Vidar “is extensively adopted by many cybercriminals.”

Genheimer mentioned they analyzed a number of samples of the malware included in PirateFI, one discovered on the malware on-line repository VirusTotal, which was apparently uploaded by a gamer in Russia; one other one they recognized via SteamDB, an internet site that publishes details about video games hosted on Steam. The researchers discovered one other pattern in a menace intelligence database they’ve entry to. All three malware samples have the identical performance, in accordance with Genheimer.

Valve didn’t reply to TechCrunch’s request for remark.

Seaworth Interactive, the purported builders of PirateFI, has no obvious on-line presence. Till final week, the sport had an X account, which has now been eliminated. The account included a hyperlink to the sport on Steam.

The house owners of the account didn’t reply to a request to speak through Direct Message earlier than it was eliminated.