SteamHide Malware Description
SteamHide is a malware discovered by the researcher @miltinhoc. Currently, this powerful threat lacks functionality but there are signs that it is under active development and could soon be unleashed in the wild. Once established onto the targeted system, SteamHide first performs a check for VMWare and VBox by querying Win32_DiskDrive and terminates itself if needed. Afterward, the malware checks for administrator rights and tries to escalate its privileges through cmstp.exe. A persistence mechanism is established via a Registry key injected in the \Software\Microsoft\Windows\CurrentVersion\Run\BroMal registry.
Although SteamHide is incapable of harmful actions, it contains certain code segments that could be activated in the future. For example, the threat scans for Teams installations by trying to determine if SquirrelTemp\SquirrelSetup.log exists on the system. This method could possibly be expanded to scan for installed applications that could then be exploited. A peculiar SteamHide method allows the threat to send Twitter requests, a functionality that could easily be escalated and turned into a Twitter bot or expanded so that the threat could receive commands via Twitter.
Novel Distribution Mechanism
The SteamHide name describes the most distinguishing aspect of the malware - it abuses the Steam digital distribution platform to deliver payloads and to update itself. More specifically, the unsafe payloads are injected into the metadata of images used as Steam profile pictures. Hiding malware in this manner is certainly not something new but the specific using a gaming platform such as Steam is something unprecedented.
It should be noted that the malware doesn't require Steam to be installed on the targeted system. The gaming platform is merely used as storage hosting the payloads. The image itself is also completely inactive and incapable of performing any harmful actions. Instead, the delivery of the threats is delegated to an external component that accesses the weaponized Steam profile picture and then extracts, unpacks, and executes the hidden payload. The external threat could be dropped onto the targeted devices through the usual malware distribution channels such as phishing emails, compromised domains, etc.