Full Report
Valve has removed a game titled 'Sniper: Phantom's Resolution' from the Steam store following multiple user reports that indicated its demo installer actually infected their systems with information stealing malware. [...]
Analysis Summary
# Incident Report: Steam Game Demo Distributes Info-Stealing Malware
## Executive Summary
A fraudulent game demo, falsely listed on Steam under a developer profile named 'arda1337,' was discovered to be distributing infostealing malware to users who downloaded the installer from an external GitHub repository. The malware utilized techniques such as process killing and VBScript persistence to evade detection and establish a foothold. Valve and GitHub swiftly removed the assets following user reports, though an unknown number of users are presumed compromised.
## Incident Details
- Discovery Date: Unknown (Triggered by user suspicion/reports)
- Incident Date: Unknown (Began after the demo was listed)
- Affected Organization: Valve/Steam Platform Users
- Sector: Gaming/Software Distribution
- Geography: Global (Platform distribution)
## Timeline of Events
### Initial Access
- Date/Time: [Not specified]
- Vector: Deceptive listing on Steam linking to an external GitHub repository.
- Details: Users were prompted to download the demo installer (named 'Windows Defender SmartScreen.exe') from a GitHub repository hosted by 'arda1337'.
### Lateral Movement
- [Not explicitly detailed, but the malware installed commodity attack tools suggesting preparation for further access/exfiltration.]
### Data Exfiltration/Impact
- Impact: Infection with info-stealing malware, likely targeting credentials and system information via tools incorporated into the installer.
### Detection & Response
- Detection: Noticed by players who suspected the game assets were copied from other titles.
- Response Actions: Reddit users reported the discovery; GitHub removed the malicious repository; Valve deleted the game from Steam; the developer's website ('sierrasixstudios[.]dev') was taken offline.
## Attack Methodology
- Initial Access: Social engineering/Malicious software distribution via a deceptive game demo listing and external download link.
- Persistence: Execution of 'createShortcut.vbs' to add a startup task for the malicious executable.
- Privilege Escalation: The installer contained a privilege escalation utility.
- Defense Evasion: The malware executed a series of Node.js scripts and killed them quickly to evade detection.
- Credential Access: Tooling suggests intent to steal credentials (though specific methods are not fully detailed).
- Discovery: [Not explicitly detailed, but included Node.js wrapper and Fiddler for potential reconnaissance/interception.]
- Lateral Movement: [Not specified, but commodity attack tools were present.]
- Collection: Use of Fiddler to intercept cookies implies data collection.
- Exfiltration: [Not explicitly detailed.]
- Impact: Installation of infostealing malware.
## Impact Assessment
- Financial: Not quantified, but costs incurred by users for cleanup and potential credential loss.
- Data Breach: Likely theft of user credentials, cookies, and potentially other system information from infected machines. Estimated up to 1,500 users downloaded the title.
- Operational: Disruption to platform integrity (Steam/GitHub).
- Reputational: Damage to Steam's reputation as a secure software distribution platform, following a similar incident a month prior (PirateFi).
## Indicators of Compromise
- Network indicators: [Not provided, only the tool Fiddler was mentioned.]
- File indicators: 'Windows Defender SmartScreen.exe' (Installer name); Malicious Node.js scripts; 'createShortcut.vbs'.
- Behavioral indicators: Execution of quick-killing Node.js scripts; creation of system startup tasks via VBScript.
## Response Actions
- Containment measures: Valve removed the game from Steam; GitHub removed the associated repository.
- Eradication steps: Users recommended to uninstall the title and run a full system scan.
- Recovery actions: [Not specified for the platform, remediation focuses on user endpoint cleanup.]
## Lessons Learned
- User distrust was the primary trigger for detection, highlighting the need for more robust pre-vetting of third-party assets, especially those linking outside the primary platform.
- Developers with suspicious profiles (hosting crypto tools/botkits) should be flagged by platform security monitoring.
- The incident closely followed another malware distribution via a Steam game demo (PirateFi/Vidar).
## Recommendations
- Enhance Steam's vetting process to scan demo installers uploaded via linked external repositories for known attack tools (e.g., privilege escalation utilities, cookie interceptors like Fiddler).
- Implement stricter controls or automated scanning for developer accounts that host overtly malicious or known problematic toolkits on linked external sites (like GitHub).
- Ensure platform integrity by immediately blacklisting developer IDs associated with confirmed malware distribution incidents.