A recent cybersecurity incident involving the threat actor known as EncryptHub has raised alarms following the compromise of a Steam-hosted game, Chemia. This breach aimed to distribute sophisticated info-stealing malware to unsuspecting users downloading the title.
## Overview of the Breach
According to threat intelligence firm Prodaft, the initial breach was executed on July 22, when EncryptHub injected the HijackLoader malware (identified as CVKRUTNP.exe) into the Chemia game files. This malware establishes persistence on the infected device and subsequently downloads the Vidar infostealer (v9d9d.exe).
Prodaft’s investigation revealed that the HijackLoader retrieves its command-and-control (C2) address via a Telegram channel, allowing the threat actors to maintain control over the infected systems.
### Dual Malware Deployment
Just three hours post-initial infection, a second malware variant, known as Fickle Stealer, was introduced into Chemia through a compromised Dynamic Link Library (DLL) file termed cclib.dll. Utilizing PowerShell scripts (specifically, ‘worker.ps1’), this malware fetches its primary payload from soft-gets[.]com.
Fickle Stealer is particularly concerning, as it harvests sensitive information from web browsers, including account credentials, auto-fill data, cookies, and cryptocurrency wallet information. This makes it a potent tool for cybercriminals seeking to exploit personal data for financial gains.
### Profile of EncryptHub
EncryptHub’s modus operandi is alarming for several reasons. Not only is this group responsible for a large-scale spear-phishing campaign last year that compromised over 600 organizations globally, but they also exhibit a unique duality in their activities—being linked to malicious exploitation of Windows zero-day vulnerabilities while simultaneously engaging in responsible disclosure of critical vulnerabilities to Microsoft.
The Prodaft report notes, “The compromised executable appears legitimate to users downloading from Steam, creating an effective social engineering component that relies on platform trust rather than traditional deception techniques.” This highlights the sophisticated nature of EncryptHub’s tactics, exploiting legitimate channels to propagate malicious software.
## Undetected Malicious Activity
Prodaft’s analysis indicates that despite the presence of malware, gameplay performance remains unaffected, leaving gamers unaware of the underlying compromise. It remains unclear how the hackers managed to infiltrate the game’s development environment; however, insider involvement is a plausible theory. As of now, the developer of Chemia has not issued any official statements regarding the security breach on their Steam page or social media.
### Impact and Safety Concerns
BleepingComputer has reached out to both the Chemia developers and Valve for comments but has yet to receive a response. In the interim, the game remains available for download on Steam, raising concerns about whether the latest version is free of malware or continues to pose a risk. Until Steam provides official clarification, it is advisable for users to refrain from downloading the game altogether.
This incident marks the third occurrence of malware infiltration on Steam this year. Previous cases involved the titles ‘Sniper: Phantom’s Resolution’ in March and ‘PirateFi’ in February. Notably, all compromised titles were offered as early access games rather than stable releases, which may suggest inadequacies in Steam’s review processes for these projects. Hence, users should exercise heightened caution when downloading incomplete or ‘work-in-progress’ titles.
### Indicators of Compromise
For those concerned about potential infections, indicators of compromise related to this EncryptHub attack are being made available through cybersecurity channels, providing essential information for threat detection and response.
By remaining vigilant and informed about the latest cybersecurity threats, users can better protect themselves against malicious attacks in the gaming environment and beyond.