Hackers Abuse Steam's Wallpaper Engine to Distribute Malware

Executive Summary

A recent investigation by Kaspersky has uncovered a widespread malware distribution campaign targeting gamers on the Steam platform. Threat actors are abusing the Steam Workshop and the popular 'Wallpaper Engine' application to deliver malware. They embed malicious payloads within user-submitted animated wallpapers, which, when downloaded and activated, infect the user's computer. The campaign has distributed a variety of malware, including infostealers, backdoors, and ransomware, with a primary focus on users in China and Russia. The technique is particularly deceptive as it uses a trusted platform (Steam) and a legitimate application feature to execute malicious code, often without any obvious signs of compromise.

Threat Overview

The attack vector is the 'application wallpaper' feature within Wallpaper Engine, a tool that allows users to have animated and interactive desktop backgrounds. This feature permits wallpapers to include and run executable files (.exe). Attackers exploit this by:

1. Creating Malicious Wallpapers: They package malware alongside or within an otherwise functional animated wallpaper.
2. Uploading to Steam Workshop: The malicious content is uploaded to the public Steam Workshop, a repository where users share custom game content and application assets.
3. Deceptive Lure: The wallpapers are given enticing names and visuals. Some even include playable mini-games to mask their malicious nature.
4. Execution: When a user subscribes to, downloads, and runs the malicious wallpaper, the embedded executable runs in the background, infecting their system.

This campaign is not attributed to a single actor, as researchers have observed a diverse range of malware being distributed through this method.

Technical Analysis

The core of this attack is the abuse of a legitimate application's functionality. Wallpaper Engine is not inherently malicious, but its design allows for the execution of code, which threat actors have turned into an infection vector. The malware payloads observed include:

• Infostealers: Lumma and Vidar, which are designed to steal browser cookies, saved passwords, cryptocurrency wallets, and other sensitive information.
• Backdoors: DarkKomet, a remote access trojan (RAT) that can give an attacker full control over the victim's machine, including the ability to hijack active Steam sessions to steal accounts.
• Loaders: The RenEngine loader, used to download and execute additional malware payloads.
• Other Malware: Cryptocurrency miners and ransomware have also been seen.

MITRE ATT&CK Techniques:

• T1204.002 - Malicious File: The user is tricked into executing the malware by running what they believe is just a wallpaper.
• T1195.002 - Compromise Software Supply Chain: While not a traditional supply chain attack, it abuses a trusted content distribution platform (Steam Workshop).
• T1555 - Credentials from Web Browsers: A primary goal of the deployed infostealers like Lumma and Vidar.
• T1105 - Ingress Tool Transfer: The RenEngine loader is used to pull down further malicious tools.
• T1059.003 - Windows Command Shell: Malware payloads often use the command shell to execute commands and manipulate the system.

Impact Assessment

The primary targets are individual gamers, but the impact can be significant:

• Account Theft: Compromise of Steam accounts, which can have significant monetary value, as well as other online accounts (email, social media).
• Financial Loss: Theft of cryptocurrency wallet keys and banking credentials.
• Identity Theft: Loss of sensitive personal information stored on the computer.
• Further Infection: The infected machine can be used as part of a botnet for DDoS attacks or to spread the malware further to the victim's contacts. For prolific gamers or streamers, the loss of their Steam account can also represent a loss of community and income.

IOCs — Directly from Articles

No specific file hashes or C2 domains were mentioned in the source articles.

Cyber Observables — Hunting Hints

For individual users, hunting can be difficult. However, signs of infection could include:

• Observable: Unexpected new processes running in Task Manager, especially after changing a wallpaper in Wallpaper Engine.
• Observable: Increased CPU or GPU usage when idle, which could indicate a cryptocurrency miner.
• Observable: Unexplained network activity from unknown applications, visible in tools like Resource Monitor.
• Observable: Security alerts from antivirus software after installing a new wallpaper.

Detection & Response

• Antivirus/Antimalware: Use a reputable antivirus solution and keep it updated. It may detect the malware payloads when they are written to disk or executed.
• Process Monitoring: Be mindful of running processes. If a new, unknown process appears after running a wallpaper, terminate it and uninstall the wallpaper immediately.
• Account Security: If you suspect a compromise, immediately change your Steam password and passwords for any other important accounts. Enable Steam Guard (MFA) on your Steam account.
• D3FEND Techniques: For advanced users, employing endpoint security tools that use D3-PA: Process Analysis can help identify suspicious processes spawned by wallpaper32.exe or wallpaper64.exe.

Mitigation

1. Source Vetting: Only download wallpapers from highly-rated, reputable creators on the Steam Workshop. Check the comments section for any warnings from other users.
2. Avoid 'Application' Wallpapers: Be extremely cautious with wallpapers of the 'Application' type, as these are the ones that can run executables. Prefer 'Video' or 'Scene' type wallpapers.
3. Enable MFA: Secure your Steam account with Steam Guard. This will prevent attackers from taking over your account even if they steal your password.
4. Regular Scans: Run regular scans with your antivirus software.
5. Principle of Least Privilege: Run your daily user account as a standard user, not an administrator. This can limit the damage a malware infection can cause.