June 7, 2023

Attacked find ways in distributing malwares. Platforms like Slack and Discord are being used as a medium to spread malware. And now, the attackers are targeting the popular gaming store Steam to hide malware using the profile pictures. 

SteamHide Malware

SteamHide is a form of malware that hides within Steam profile picture’s metadata.Technically PropertyTagICC Profile value of an image is changed to encrypt and hide the malware, which normally stores information to help printers detect the colors of an image.

This value is a part of the EXIF data that exists in an image to help you identify the camera used. The profile picture or the image is not the malware itself, but it is a container for the malware and is inactive until it’s decrypted by a separate malware downloader.

The image or the profile picture helps in the distribution of malware to an infected computer without getting detected by any antivirus software.

The infected computer must have a downloader which extracts the malware from the Steam profile image, which is publicly accessible.It downloads the malware by connecting to the image hosted on Steam platform.

Attackers who developed it are clever enough to know that you cannot block connections to the Steam platform. If you block Steam, you may not be able to use the platform for playing video games and flag legitimate profiles in the process.

There are millions of accounts in Steam, and it is tough to know which profile is harboring malware inside its profile picture. Its is easy to update malware in an infected computer by simply updating the profile picture.

SteamHide is in active development by the attackers and has not actually been detected in the wild to spread malware yet.This may be a part of a big attack soon because of its effectiveness in evading detection. Even though the profile picture on Steam is not dangerous on its own, it is one piece of the attack that cannot be easily detected or blocked.

Steam cannot do much about it as of now, except to remove the images from malicious profiles detected, it is here to stay.

Leave a Reply

%d bloggers like this: