Inhalt
Introduction
A free-to-play survival game named “PirateFi” in the Steam online game store has been distributing the Vidar infostealing malware to unsuspecting gamers. Last week, Valve removed a game from its online store because users voiced their concerns about malware alerts though Anti-Virus software after starting the game.
After the removal of the game the SECUINFRA Falcon Team analyzed the malware and found that the game was an attempt to trick gamers into installing an info-stealer called “Vidar”. As the game advertisements contained references to cryptocurrency and blockchain technology, we believe that this was a lure specifically targeting players interested in these topics.
This research has been also been covered by BleepingComputer and Techcrunch.
Technical Analysis
The analytics platform SteamDB was quick to notice the removal of the game from the Steam store and posted Valve’s notification to affected players on X (Twitter). We used the SteamDB platform to visually identify a suspiciously large executable, that was changed and reuploaded on multiple occurrances over the span of three days. This gave us a starting point for our planned malware analysis.
Figure 1 : Suspicious changes to the PirateFi game repository (source: SteamDB)
The sample of “Pirate.exe” that we identified is 693MB in size. This property is commonly found with infostealer malware as a low-effort aporach to detection evasion by Anti-Virus and sandboxes. We found that the file is packaged as an InnoSetup installer wizard, which we will have to unpack.
Figure 2 : Visualization of the sections of “Pirate.exe”, showing an inflated overlay
The tool “innoextract” can be used to extract the – again massively inflated – payload named “Howard.exe” from the installer file “pirate.exe”. The extracted executable is still 507MB in size, which could complicate further analysis.
Figure 3 : Extracting the InnoSetup installer file
We used @SquiblydooBlog’s debloat tool (https://github.com/Squiblydoo/debloat) to shrink the file down to a more manageable size of 2.6MB by removing the unnecessary content from the file overlay (a big block of randomized dictionary words).
Figure 4 : Deflating the executable using “debloat”
Through dynamic analysis and YARA signature matches we determined that we are looking at a Vidar infostealer sample.
Vidar uses a two stage approach to Command and Control communication. The malware configuration holds links to two so called Dead Drop Resolvers (DDR). These DDRs use legitimate websites such as Telegram, Mastodon, Google Calendar or in this case a Steam user profile to store the URL/IP address for the second stage (“real”) CnC server. This helps the threat actor to obscure their backend infrastructure and allows for certain flexibility when running multiple CnC servers at once. Such a DDR contains a marker/key (here: a110mgz) that is used to verify the ddr content and the IP address (e.g. 95.216.180[.]186) of the 2nd CnC (see Figure 5 below). As you can see in the screenshot, the second stage CnC IPs are exchanged from time to time.
Figure 5 : Dead Drop Resolver hosted on a Steam profile
The second stage Command and Control server associated with this sample is opbafindi[.]com. Another sample that was identified later uses a different server: durimri[.]sbs.
Conclusion
We conclude that “PirateFi” was at no point a legitimate, playable game, but rather a direct attempt to infect players with interest in cryptocurrency with infostealer malware. The threat actor altered the game files multiple times, e.g. with varying obfuscation techniques and Command and Control servers for credential exfiltration.
We cannot confirm whether this is the first malware distribution campaign via a Steam game ever, but it is certainly a rare occurrence up until now. This case may lead other threat actors to attempt such campaigns in the future. Valve will have to improve their review process and detection capabilities for malware in game bundles. In our opinion they should have been able to automatically detect this incident based on file properties such as invalid signatures, inflated file size and erratic changes to the game file repository over a short time span.
Indicators of compromise (IoC)
Executables
| File name | MD5 hash |
| Pirate.exe | 57ed3e1505b3bd9dfb2fc85a8efce1e9 |
| Pirate.exe | 187f0daaedc4e8c01c538c1075036d77 |
| Corsair.exe | 7dcaa927972d159a44679d1d0d9a786d |
| Howard.exe | e3202e70c2d8aecf0347f85c4fb39032 |
| Howard_patched.exe | c5ad9a93b22622ae100aff54ae31dc8a |
Command and control infrastructure
First stage C2s / Dead Drop Resolvers:
hxxps://t[.]me/sok33tn
hxxps://steamcommunity[.]com/profiles/76561199824159981
Second stage C2s:
opbafindi[.]com (159.69.103[.]4)
durimri[.]sbs (5.75.215[.]154)
