Dangerous Games: How Trojans Attack Gaming Platforms

The computer gaming industry is a massive business, with revenues rivaling those of the oil industry. This money attracts not only investors but also criminals, including many malware developers. The number of malicious programs that steal in-game items and hijack Steam accounts is growing rapidly. This article explains how these Trojans work.

Virtual Economies and the Rise of Game Item Theft

Modern multiplayer games create entire virtual universes, complete with their own mythology, physics, and economic systems. In-game worlds feature artifacts and gear that give players advantages or let them customize their characters. Players can earn gear in battle, find it, complete quests, or simply buy it. Some gamers even make a living by selling hard-earned in-game items or fully developed accounts.

Wherever there’s money to be made, shady schemes inevitably appear. For example, as early as 2011, The Guardian reported on Chinese prisoners forced to farm loot and in-game currency for real-world sale. Soon, malware creators joined in, spreading Trojans disguised as cheats and trainers to hijack gaming accounts. By 2014, malware was being used not just to steal Steam accounts, but also individual in-game items, often through clever tricks.

SteamBurglar: The Trojan That Stole In-Game Items

In the summer of 2014, CS:GO players began reporting mysterious disappearances of their in-game inventory on Reddit. Just before the incident, the victim would receive a Steam chat message from another user offering to trade virtual items, complete with a screenshot of the proposed inventory. The deal looked attractive, but after completing the trade, the player would log in to find their most valuable items gone.

Analysts traced the cause to a Trojan called SteamBurglar. While the unsuspecting user examined the trade offer, the Trojan searched the computer’s memory for the Steam process and extracted information about the user’s inventory. It then searched for valuable items using keywords like rare, mythical, immortal, legendary, arcana, and key (the list could be customized in the Trojan’s admin panel). SteamBurglar would immediately list the stolen items for sale on Steam at a competitive price, sending the proceeds to the malware creator’s account.

The Trojan and its builder tools were sold on cheat forums and could steal items not only from CS:GO, but also from Dota 2, Team Fortress 2, and Warframe. Initially, users sent trade messages using third-party tools, but by December 2014, the author released an update allowing spam directly from the admin app. Steam’s administrators were slow to respond, at first telling victims to find and report the thief’s accounts themselves. Eventually, under public pressure, Steam changed its item sale procedures, requiring email confirmation for such transactions.

SteamLogger: A More Sophisticated Threat

Later that year, a new Trojan called SteamLogger.1 appeared, targeting Dota 2, CS:GO, and Team Fortress 2 players. It was even more sophisticated. The dropper was spread via links on cheat sites, social networks, and private messages. Victims were lured with offers to buy or trade in-game items cheaply, with details provided via a link that downloaded the dropper.

The dropper contained the Trojan and a service module in encrypted form. When run, it decrypted and saved the service module as update.exe in the %TEMP% folder, while loading the Trojan into memory. SteamLogger.1 then downloaded and displayed a fake image of the item supposedly for sale to lull the victim into a false sense of security.

The service module searched for or created a Steam folder in Program Files (x86)\Common Files\, saved SteamService.exe there, set it as a system and hidden file, and registered it for autostart in the Windows registry. It collected information about the infected machine (including system partition serial number, OS version, and architecture) and sent it to the command server using built-in proxy addresses. The main purpose of the service module was to update the Trojan.

The main module stayed in memory, monitoring the game client process and waiting for the user to log in to Steam. Once logged in, the Trojan intercepted login credentials, checked for SteamGuard and other security features, and sent all this data to the command server. In response, it received a list of accounts to which stolen items could be transferred, along with transaction parameters.

The Trojan searched the Steam client folder for files named ssfn* and collected the contents of the config subfolder. It bundled these files with the victim’s account data, encoded everything in Base64, and sent it to the command server. If Steam’s auto-login was disabled, the Trojan launched a keylogger to capture and transmit keystrokes every 15 seconds via POST requests to the server, never saving logs locally.

SteamLogger.1 searched the victim’s inventory for items using keywords like Mythical, Legendary, Arcana, Immortal, Container, and Supply Crate. If the user had listed any of these items for sale, the Trojan would remove them from the market. All stolen items were then transferred to one of the attacker’s Steam accounts. The stolen goods were resold through online stores set up by the attackers.

Malware as a Service: Renting Out Trojans

Since then, new malware targeting Steam accounts and in-game items has appeared regularly. The rise of “malware as a service” has made things worse, with Trojans being rented out to other criminals. Several such stealers were actively spread last summer. One malware author, known as Faker, rented out Trojans for 10,000 to 25,000 rubles per month, and they were reportedly in high demand.

One particularly clever Trojan would wait for a user to list an item for trade on a marketplace, intercept a trade request, and then use the victim’s avatar and nickname to send a similar offer from the attacker’s account. When trading on the official steamcommunity.com portal, the Trojan used web injects to swap item images, tricking the victim into thinking they were getting a valuable item when they were actually receiving a cheap trinket. Judging by active forum ads, the business of renting out such malware is still thriving.

Conclusion

In summary, today’s “game Trojans” fall into several categories. The simplest ones steal files from the Steam client or user credentials using keylogging and fake login forms. More advanced malware uses traffic analyzers and web injects to intercept security parameters and swap items during online trades or sales. In the future, malware creators will undoubtedly invent new ways to steal valuable virtual property from gamers—wherever there’s money, crime is never far behind.