Once executed on a victim machine, the malware terminates any security protections and checks for administration rights, the researchers found, then copies itself to “LOCALAPPDATA” folder and persists by creating a key in a registry that G Data identified as “\Software\Microsoft\Windows\CurrentVersion\Run\BroMal.”įor now, that’s all it does. The profile image data only hosts the malware - to make it onto a victim’s machine, it must be fetched by a loader that’s been loaded onto a compromised device, the report explained. Victims of the malware don’t have to be on Steam or have any gaming platform installed, G Data’s researchers found. “The low-quality image shows three frames of the ‘white guy blinking’ meme alongside the words January, a black screen, and September,” Hahn added. Attackers hide their malware in benign images commonly shared online, including memes like “blinking white guy” used in the G Data analysis example. The malware downloader is hiding in the Steam profile image’s metadata, specifically in the International Color Consortium (ICC) profile, a standardized set of data to control color output for printing. Just found malware being hosted on a steam profile inside an image! That's the first time I see someting like that /HclAQz4nZ9 “While hiding malware in an image file’s metadata is not a new phenomenon, using a gaming platform such as Steam is previously unheard of,” G Data analyst Karsteen Hahn said about SteamHide in a new disclosure report, which builds on the original find by on Twitter: The technique is called steganography and it’s not new - but Steam profiles being used as attacker-controlled hosting sites, is. This external payload can be distributed via crafted emails to compromised websites.”
The Steam platform merely serves as a vehicle which hosts the malicious file, according to research from G Data: “The heavy lifting in the shape of downloading, unpacking and executing a malicious payload fetched by the loader is handled by an external component, which accesses the malicious profile image on one Steam profile. Look out for SteamHide, an emerging malware that disguises itself inside profile images on the gaming platform Steam, which researchers think is being developed for a wide-scale campaign.
0 kommentar(er)
