SteamHide Malware found within the Steam profile images

The SteamHide Malware

While you may not know it, there is malware hidden within the Steam profile images. Codenamed SteamHide, experts suspect that this new malware loader is part of a large-scale operation.

Researchers have found that the Steam platform acts solely as a vehicle for hosting the malware loader, while the downloading and executing of the harmful payload delivered by the loader is handled by an external component that has access to the Steam profile through a malicious image. Aside from the gaming platforms, the external component can use different infected websites and well-crafted emails for its distribution.

Hiding viruses inside an image file metadata is not uncommon, however, using a gaming platform such as Steam is previously unheard of, researchers are noting. According to the information that is available, the malware downloader is hiding inside a Steam’s profile image’s metadata, more precisely in the International Color Consortium (ICC) profile, which is a standardized collection of data for printing color management.

G Data research shows that the malware is being shared online through memes such as the “white guy blinking” and other low-quality images.  This means that victims of this Steam profile picture scam don’t have to be on Steam or have any gaming platform installed.

The research explains that the profile image data includes just the downloader, while the additional malware that is delivered is not included in the image. As soon as it gets activated, the malware immediately blocks any existing security protections, checks for administrator rights and then makes a copy of itself in the “Localappdata” folder. Persistence is created by adding the following key in the Registry:

“\Software\Microsoft\Windows\CurrentVersion\Run\BroMal”

G Data claims that the developers of SteamHide have many malicious tools hidden inside their malware. According to the professionals who are examining the threat, though the tools themselves aren’t currently being used, they may be dangerous in the future.

From what has been found, the threat actors have added a feature that is checking if Teams is installed on the infected machine. In addition to that, the criminals have embedded a tool that allows the malware to receive and send commands over Twitter, as well as some other components that indicate that a lot of hard work and sophistication has been put in the development of the threat.