The variety and type of malicious code that can be lurking on the Internet to attack us is almost infinite. In fact now we are going to talk about a method that abuses the popular PC gaming platform, Steam, we are talking about SteamHide .
This is malicious code that sends payloads to malware downloaders so their operators can update infected machines by adding new profile images on Steam . At the same time its developers seem to have more ambitious goals, which is why it is being seen now.
To give us a more precise idea, we are talking about a new malware that uses Steam profile images to hide in them. So much so that at first the tools that read common EXIF data do not show anything out of the ordinary about the infected image.
How malware is added to the Steam photo
The only thing worth noting in this regard is that you see a warning that the length of the ICC profile data is invalid. This is because instead of an ICC profile, the malware itself is encoded within the PropertyTagICCProfile value. The purpose of the ICC profile is to map colors correctly for output devices, such as printers.
To say that hiding a virus or the like in the metadata of an image file is not exactly new. However, here the use of a gaming platform such as Steam is striking, something unprecedented and dangerous due to its wide use throughout the world. From an attacker’s point of view, this approach makes sense, as delivering malware is as easy as replacing a profile image file.
In addition, as we mentioned, there are a large number of legitimate accounts and blocking the Steam platform would have many unwanted side effects by most. At the same time, it must be borne in mind that to be infected with this method, it is not necessary to install Steam . The gaming platform serves as the vehicle that hosts the malicious file, in this case the photo.
Form of action of the new malware
Say that the process of downloading, unpacking and executing the malicious is handled by an external component that only accesses the profile image. This load would be distributed by the usual means such as tampered emails, or dangerous websites.
At this point, the first thing to know is that the Steam profile image is not infectious or executable from the outset. This one, with the infectious method explained, only serves as a carrier of the real malware. Therefore it requires a second malware to be extracted first, something like a downloader that uses an encrypted password to decrypt the malicious payload of the image.
As some experts have already proven first-hand, this downloader that we are discussing uses a Steam profile to hide the malware in the images. In this way, said malicious code can be updated through a specific Steam profile. And just like the downloader, this one extracts the executable from the PropertyTagICCProfile data from the photo. Thus the configuration allows to change the ID of the property of the same and the search string. This means that other image properties will be used in the future to hide the malware.
In the same way, we must know that SteamHide, the malware we have talked about, currently lacks functionality, but it seems to be in active development. There are still parts of your code that are not used for now. For example, the malware checks if Teams is installed on the PC, but nothing is done with this information . This may be used to check the applications installed on the infected system and to abuse them for exploits .
Experts predict that we will see this malware emerge shortly, so security firms will have to be prepared.
