Full Report
A threat actor called EncryptHub has compromised a game on Steam to distribute info-stealing malware to unsuspecting users downloading the title. [...]
Analysis Summary
# Incident Report: Infostealer Malware in Early Access Steam Game
## Executive Summary
An information-stealing malware was secretly introduced into an early access game distributed via the Steam platform, marking the third known instance of malware infiltrating Steam games this year. The attack vectors and exact compromise details are under investigation, but it leverages the less stringent review process for early access titles. The known response involves external security researchers beginning to analyze the threat, while the developer and Valve have not issued public confirmation or remediation steps, leaving users advised to avoid the game.
## Incident Details
- Discovery Date: Unknown (Implied shortly after malware release)
- Incident Date: Unknown (Concurrent with game release/update)
- Affected Organization: Developer of the specific early access game (Unnamed in the provided text); Valve (Platform owner)
- Sector: Gaming/Software Distribution
- Geography: Global (Distributed via Steam)
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Compromise of the game development/distribution pipeline, likely involving the developer's project files prior to submission to Steam.
- Details: Malicious files containing infostealer malware were added to the game project files before distribution on Steam. An insider threat is suggested as a possibility.
### Lateral Movement
- Not explicitly detailed, as the focus is on the initial infection vector via the game download. Lateral movement would occur on the end-user's machine post-installation.
### Data Exfiltration/Impact
- Impact: Installation of Infostealer malware onto end-user machines who downloaded the game. This malware is designed to steal sensitive information (credentials, session data, etc.) from the compromised systems.
### Detection & Response
- Detection: The presence of malware was likely discovered by security researchers examining the game files or by end-users experiencing compromises.
- Response Actions: IOCs were made publicly available via GitHub by Prodaft. External parties (BleepingComputer) contacted the developer and Valve for comment. **Crucially, official developer/Valve response actions are not yet confirmed.**
## Attack Methodology
- Initial Access: Supply Chain Compromise via legitimate software distribution channel (Steam early access game files).
- Persistence: Not detailed for the malware itself, but the initial access relies on the legitimate execution of the downloaded game software.
- Privilege Escalation: Not detailed.
- Defense Evasion: Malware was hidden within a seemingly legitimate software distribution.
- Credential Access: Yes, via the nature of the "infostealer malware."
- Discovery: Not detailed (likely internal reconnaissance by the malware).
- Lateral Movement: Not detailed for this report's scope.
- Collection: Gathering of user files and credentials typical for an infostealer payload.
- Exfiltration: Exfiltration of collected data back to the threat actor.
- Impact: Theft of sensitive user data and credentials from compromised systems.
## Impact Assessment
- Financial: Unknown (Potential costs related to data breach remediation for affected users).
- Data Breach: Compromise of user credentials, session tokens, and potentially other sensitive data residing on end-user PCs that ran the game.
- Operational: Potential disruption to end-users' system security and accounts. Unclear impact on the developer/Steam operations aside from reputation.
- Reputational: Significant reputational damage to the specific game developer and potential scrutiny on Valve's review processes for early access titles.
## Indicators of Compromise
- *Note: Specific IOCs were referenced to an external GitHub link and are not fully listed here as per the instruction to defang indicators. The existence of IOCs demonstrates post-analysis.*
- Network indicators: (Refer to external link provided in source material)
- File indicators: (Refer to external link provided in source material)
- Behavioral indicators: Execution of a legitimate application resulting in credential harvesting.
## Response Actions
- Containment: Users are advised to avoid downloading the game. The game remains available on Steam, raising questions about platform lockdown.
- Eradication: Unknown/Pending developer action or manual user removal.
- Recovery: Unknown/Pending official guidance.
## Lessons Learned
- Early access games on platforms like Steam may be subject to less rigorous vetting, increasing the risk of supply chain compromises.
- This is the third such instance this year involving early access games, indicating a recurring vulnerability in the vetting process for "work-in-progress" titles.
- Developers must rigorously secure their build environments, as an insider threat remains a potential vector.
## Recommendations
- Users should exercise extreme caution and avoid downloading early access (work-in-progress) games until official statements confirm the removal of malicious content.
- Valve should review and potentially increase security scrutiny for all titles submitted, even those in early access phases.
- Developers should conduct comprehensive security audits immediately following any suspected environment compromise, especially before submitting builds to major platforms.