A researcher has discovered a new malware, SteamHide, using Steam profile images to stay hidden. Hiding malware in an image file's metadata is not new, however, using a gaming platform is something unique.
Hide and seek
SteamHide serves payloads for malware downloaders by abusing Steam profiles.
The Steam platform serves as a delivery agent that drops the malicious file on the victim’s device. Though, it can also target users outside Steam or any other gaming platform.
The main work, including unpacking, executing, and downloading the malicious payload, is managed by an external component that accesses the profile image on a Steam profile.
This malware payload can be spread by crafted emails, compromised websites, and other usual tactics.
The Steam profile images are not infectious and cannot be executed. They serve as a carrier for the actual malware and need a second malware to be extracted. This second malware could be a downloader for other threats.
At present, the malware looks to be lacking some functionalities and is being actively developed. However, there are a few code segments found inside the binary, which have not been used until now.
SteamHide is stored in an encrypted form inside the PropertyTagICCProfile value instead of the ICC profile. The ICC profile is used to map colors accurately for output devices such as printers.
The malware checks if Microsoft Teams is installed. It basically follows a method called EnumerateVulnerable, which checks for installed applications on the infected system that can be abused for exploits.
Also, there is a technique that allows it to send Twitter requests, which could be used in the future by SteamHide to either act as a Twitter bot or receive commands via Twitter.
SteamHide is a unique malware that targets the popular gaming platform Steam to serve as a downloader. Moreover, replacing the malware is as easy as replacing a profile image file. While blacklisting the Steam platform is not a practical solution due to a large number of genuine users, organizations are suggested to use genuine anti-malware solutions and firewalls to stay protected.