Kaspersky researchers discovered a malware distribution campaign being deployed, taking advantage of Steam Workshop and Wallpaper Engine - popular applications on Steam that allow users to create and share animated wallpapers for computers.
The research team identified many wallpaper packages infected with malware with thousands of downloads. The main targets of this campaign are Steam users in China and Russia, as well as victims in Singapore, Hong Kong (China), Germany, Vietnam, India and Canada. The attacker's goal is to steal game accounts and deploy other types of malware on victims' devices.
Steam Workshop is an integrated feature on the Steam platform, allowing users to easily search, install and manage content created by the community such as mods, custom maps, game objects and device wallpapers. Meanwhile, the Wallpaper Engine application supports many different wallpaper formats, including videos, interactive scenes, websites and applications.
The application-style wallpaper support feature allows programs to run directly on the user's Windows computer. This inadvertently creates loopholes for attackers to spread malware under the guise of fake legal content. Kaspersky has discovered dozens of wallpaper packages infected with malware posted on Steam Workshop. Many of these packages record thousands, even tens of thousands of downloads.
Attackers mainly use two main methods of spreading malware. The first way is to directly embezzle malicious executable files, DLL libraries, and scripts into the wallpaper package. In other cases, the malware is hidden in a password-protected compressed file, in which the password is inserted into the file name or configuration file. After installing the wallpaper, the malware will be automatically activated and executed.
High-risk attacks are carried out by many different groups or individuals instead of just one group, and are not limited to a specific malware family. In many cases, Kaspersky has detected malicious wallpapers that spread information-stealing malware such as Lumma and Vidar, as well as RenEngine malware downloaders. Kaspersky's security solutions now have the ability to detect and prevent all types of malware related to this campaign.
Mr. Maxim Starodubov, a cybersecurity expert at Kaspersky, commented: "Even reliable platforms can be exploited to spread malware. These attacks are based on user trust in content stored on legitimate ecosystems. Although most of the malware used is known in advance, this spread mechanism still helps hackers access a large number of potential victims through seemingly harmless content.
To protect users, Kaspersky experts have given advice:
Be careful when downloading any application, even from sources that are considered reliable.
Check the credibility and authenticity of the developer or content creator before installing any content shared by the community.
Use reputable security solutions to detect and prevent threats.
