SteamHide Malware Conceals Itself in Steam Profile Images

Security analysts at G Data have discovered a new malware called SteamHide, whose operators hide malicious code within the metadata of images used in Steam profiles. The unusual images were first spotted by cybersecurity researcher Miltinhoc, who shared his findings on Twitter in late May 2021.

Just found malware being hosted on a steam profile inside an image! That’s the first time I see something like that @malwrhunterteam

According to G Data researchers, these images appear harmless at first glance. Standard EXIF tools do not detect anything suspicious, except for a warning that the ICC profile data length is incorrect.

However, instead of a typical ICC profile (which is usually used for color management on external devices like printers), these images actually contain encrypted malware within the PropertyTagICCProfile value. While hiding malware in image metadata is not a new technique, researchers note that using a major gaming platform like Steam to host malicious images significantly complicates the situation. Attackers can easily swap out the malware by simply changing the image file in a profile.

Steam itself is only used as a hosting platform for the malware. The actual work of downloading, unpacking, and executing the malicious payload is performed by an external component that accesses the image from the Steam profile. This payload can also be distributed through more traditional means, such as email or compromised websites.

Experts emphasize that the images themselves from Steam profiles are neither “infectious” nor executable. They simply serve as a carrier for the actual malware, which requires a second malicious program to extract it.

How SteamHide Works

The second piece of malware, which acts as a loader, was found by researchers on VirusTotal. It contains a hardcoded password (“{PjlD \\ bzxS #; 8 @ \\ x.3JT & <4 ^ MsTqE0”) and uses TripleDES encryption to decrypt payloads from the images.

On a victim’s system, SteamHide first checks for Win32_DiskDrive entries for VMWare and VBox, and exits if they are present. It then checks for administrator privileges and attempts to escalate privileges using cmstp.exe.

On its first run, the malware copies itself to the LOCALAPPDATA folder, using the name and extension specified in its configuration. SteamHide establishes persistence by creating the following registry key:

\Software\Microsoft\Windows\CurrentVersion\Run\BroMal

The IP address of the command and control server is stored on Pastebin, and updates can be received through a specific Steam profile. Like the loader, it extracts the executable file from the PropertyTagICCProfile. The configuration allows it to change the image property ID and search string, meaning other image parameters could be used to hide malware in Steam in the future.

Current Capabilities and Future Development

So far, SteamHide does not have any additional functionality and appears to still be under development. Researchers found several code segments that are not currently used. For example, the malware checks if Microsoft Teams is installed by looking for SquirrelTemp\SquirrelSetup.log, but currently does nothing with this information. This may be intended for future attacks targeting installed applications on infected systems.

Researchers also found a placeholder function called ChangeHash(), suggesting that the malware’s developer plans to add polymorphism in future versions. Additionally, the malware can send requests to Twitter, which could be used in the future to receive commands via Twitter or to operate as a Twitter bot.