{"id":57183,"date":"2025-03-06T09:49:40","date_gmt":"2025-03-06T08:49:40","guid":{"rendered":"https:\/\/www.secuinfra.com\/news\/infostealer-malware-vidar-spread-via-the-steam-store\/"},"modified":"2025-03-24T15:50:55","modified_gmt":"2025-03-24T14:50:55","slug":"infostealer-malware-vidar-spread-via-the-steam-store","status":"publish","type":"post","link":"https:\/\/testing.secuinfra.com\/en\/techtalk\/infostealer-malware-vidar-spread-via-the-steam-store\/","title":{"rendered":"Infostealer Malware \u201eVidar\u201c distributed via the Steam store"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/infostealer-malware-vidar-spread-via-the-steam-store\/#Introduction\" >Introduction<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/infostealer-malware-vidar-spread-via-the-steam-store\/#Technical_Analysis\" >Technical Analysis<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/infostealer-malware-vidar-spread-via-the-steam-store\/#Conclusion\" >Conclusion<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/infostealer-malware-vidar-spread-via-the-steam-store\/#Indicators_of_compromise_IoC\" >Indicators of compromise (IoC)<\/a><\/li><\/ul><\/nav><\/div>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Introduction\"><\/span>Introduction<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A free-to-play survival game named \u201cPirateFi\u201d in the Steam online game store has been distributing the Vidar infostealing malware to unsuspecting gamers. Last week, Valve removed a game from its online store because users voiced their concerns about malware alerts though Anti-Virus software after starting the game.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">After the removal of the game the SECUINFRA Falcon Team analyzed the malware and found that the game was an attempt to trick gamers into installing an info-stealer called \u201cVidar\u201d. As the game advertisements contained references to cryptocurrency and blockchain technology, we believe that this was a lure specifically targeting players interested in these topics.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This research has been also been covered by <a  href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/piratefi-game-on-steam-caught-installing-password-stealing-malware\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >BleepingComputer<\/a> and <a  href=\"https:\/\/techcrunch.com\/2025\/02\/18\/hackers-planted-a-steam-game-with-malware-to-steal-gamers-passwords\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Techcrunch<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Technical_Analysis\"><\/span>Technical Analysis<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The analytics platform SteamDB was quick to notice the removal of the game from the Steam store and posted <a  href=\"https:\/\/x.com\/SteamDB\/status\/1889610974484705314\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Valve\u2019s notification to affected players on X (Twitter)<\/a>. We used the SteamDB platform to visually identify a suspiciously large executable, that was changed and reuploaded on multiple occurrances over the span of three days. This gave us a starting point for our planned malware analysis.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1600\" height=\"786\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/steam-infostealer-1-1600x786.png\" alt=\"\" class=\"wp-image-57167\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-1-1600x786.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-1-800x393.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-1-768x377.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-1-1536x755.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-1-2048x1006.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><br>Figure 1 : Suspicious changes to the PirateFi game repository (source: SteamDB)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The sample of &#8220;Pirate.exe&#8221; that we identified is 693MB in size. This property is commonly found with infostealer malware as a low-effort aporach to detection evasion by Anti-Virus and sandboxes. We found that the file is packaged as an InnoSetup installer wizard, which we will have to unpack.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1600\" height=\"1341\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/steam-infostealer-2-1600x1341.png\" alt=\"\" class=\"wp-image-57169\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-2-1600x1341.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-2-800x671.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-2-768x644.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-2-1536x1288.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-2-2048x1717.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><br>Figure 2 : Visualization of the sections of &#8220;Pirate.exe&#8221;, showing an inflated overlay<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The tool &#8220;innoextract&#8221; can be used to extract the &#8211; again massively inflated &#8211; payload named &#8220;Howard.exe&#8221; from the installer file \u201cpirate.exe\u201d. The extracted executable is still 507MB in size, which could complicate further analysis.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1430\" height=\"330\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-3.png\" alt=\"\" class=\"wp-image-57171\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-3.png 1430w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-3-800x185.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-3-768x177.png 768w\" sizes=\"(max-width: 1430px) 100vw, 1430px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><br>Figure 3 : Extracting the InnoSetup installer file<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We used @SquiblydooBlog&#8217;s debloat tool (https:\/\/github.com\/Squiblydoo\/debloat) to shrink the file down to a more manageable size of 2.6MB by removing the unnecessary content from the file overlay (a big block of randomized dictionary words).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1192\" height=\"1248\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-4.png\" alt=\"\" class=\"wp-image-57173\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-4.png 1192w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-4-764x800.png 764w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-4-768x804.png 768w\" sizes=\"(max-width: 1192px) 100vw, 1192px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><br>Figure 4 : Deflating the executable using &#8220;debloat&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Through dynamic analysis and YARA signature matches we determined that we are looking at a Vidar infostealer sample.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Vidar uses a two stage approach to Command and Control communication. The malware configuration holds links to two so called Dead Drop Resolvers (DDR). These DDRs use legitimate websites such as Telegram, Mastodon, Google Calendar or in this case a Steam user profile to store the URL\/IP address for the second stage (&#8220;real&#8221;) CnC server. This helps the threat actor to obscure their backend infrastructure and allows for certain flexibility when running multiple CnC servers at once. Such a DDR contains a marker\/key (here: a110mgz) that is used to verify the ddr content and the IP address (e.g. 95.216.180[.]186) of the 2nd CnC (see Figure 5 below). As you can see in the screenshot, the second stage CnC IPs are exchanged from time to time.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"641\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/steam-infostealer-5-1600x641.png\" alt=\"\" class=\"wp-image-57175\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-5-1600x641.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-5-800x320.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-5-768x308.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-5-1536x615.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/steam-infostealer-5-2048x820.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><br>Figure 5 : Dead Drop Resolver hosted on a Steam profile<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The second stage Command and Control server associated with this sample is opbafindi[.]com. Another sample that was identified later uses a different server: durimri[.]sbs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We conclude that \u201cPirateFi\u201d was at no point a legitimate, playable game, but rather a direct attempt to infect players with interest in cryptocurrency with infostealer malware. The threat actor altered the game files multiple times, e.g. with varying obfuscation techniques and Command and Control servers for credential exfiltration.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We cannot confirm whether this is the first malware distribution campaign via a Steam game ever, but it is certainly a rare occurrence up until now. This case may lead other threat actors to attempt such campaigns in the future. Valve will have to improve their review process and detection capabilities for malware in game bundles. In our opinion they should have been able to automatically detect this incident based on file properties such as invalid signatures, inflated file size and erratic changes to the game file repository over a short time span.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Indicators_of_compromise_IoC\"><\/span>Indicators of compromise (IoC)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Executables<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>File name<\/strong><\/td><td><strong>MD5 hash<\/strong><\/td><\/tr><tr><td>Pirate.exe<\/td><td>57ed3e1505b3bd9dfb2fc85a8efce1e9<\/td><\/tr><tr><td>Pirate.exe<\/td><td>187f0daaedc4e8c01c538c1075036d77<\/td><\/tr><tr><td>Corsair.exe<\/td><td>7dcaa927972d159a44679d1d0d9a786d<\/td><\/tr><tr><td>Howard.exe<\/td><td>e3202e70c2d8aecf0347f85c4fb39032<\/td><\/tr><tr><td>Howard_patched.exe<\/td><td>c5ad9a93b22622ae100aff54ae31dc8a<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Command and control infrastructure<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">First stage C2s \/ Dead Drop Resolvers:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">hxxps:\/\/t[.]me\/sok33tn<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">hxxps:\/\/steamcommunity[.]com\/profiles\/76561199824159981<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Second stage C2s:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">opbafindi[.]com (159.69.103[.]4)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">durimri[.]sbs (5.75.215[.]154)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A free survival game called &#8220;PirateFi&#8221; on the Steam online game store has been distributing the information-stealing malware Vidar to unsuspecting players. Last week, Valve removed a game from its online store because users raised concerns about malware warnings from anti-virus software after launching the game. <\/p>\n<p>After removing the game, the SECUINFRA Falcon team analyzed the malware and determined that the game was an attempt to trick players into installing an infodump called &#8220;Vidar&#8221;. As the game advertisement contained references to cryptocurrencies and blockchain technology, we believe this was a lure specifically targeting players interested in these topics. <\/p>\n","protected":false},"author":6,"featured_media":57187,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[81,251],"tags":[350],"dpc_coauthors":[],"class_list":["post-57183","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-techtalk","category-threat-detection","tag-cyber-defense-en"],"acf":[],"_links":{"self":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/57183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=57183"}],"version-history":[{"count":0,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/57183\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/57187"}],"wp:attachment":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=57183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=57183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=57183"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=57183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}