This Malware that Uses Steam Profile Images to Hide Itself

In May 2021, a researcher tweeted about a new malware that hides itself inside Steam profile photos. Except for a warning that the length of the ICC profile data is not acceptable, common online EXIF tools don’t provide anything significant about the image. Because the malware is stored in encrypted form inside the PropertyTagICCProfile value instead of an ICC profile. The goal of an ICC profile is to appropriately map colours for output devices like printers. 

Valve’s Steam is a video game digital distribution platform. In September 2003, it was released as a separate software client as a mechanism for Valve to give automatic updates for their games, and it was later expanded to include games from third-party publishers. Digital rights management (DRM), server hosting, video streaming, and social networking services are all available through Steam. It also includes community features such as friends lists and groups, cloud storage, and in-game voice and chat functions, as well as game installation and automatic updates.

While concealing malware in the metadata of an image file is not a novel concept, leveraging a gaming platform like Steam has never been done before. This strategy makes sense from the attacker’s perspective: It’s as simple as updating a profile image file to remove the infection. There are also a lot of valid accounts, and blacklisting the Steam platform would have a lot of unintended consequences. 

It should be emphasised that no installation of Steam – or any other game platform – is required to become a target for this strategy. The Steam platform only acts as a medium for the malicious file to be distributed.  

An external component, which only sees the profile image on one Steam profile, does the hard lifting in terms of downloading, unpacking, and executing the malicious payload. This payload can be transmitted by a variety of methods, including manipulated emails and infected websites. 

The Steam profile image is neither contagious or executable in any way. It acts as a vehicle for the malware itself. It requires the extraction of a second malware. This malware sample’s second component is a downloader. It uses TripleDES to decode the payload from the picture and has the password “PjlDbzxS#;[email protected]&4MsTqE0” hardcoded.