The free-to-play game PirateFi, available on the Steam store, distributes the Vidar infostealing malware to unsuspecting players. The game was live on the platform for nearly a week, from February 6th to February 12th, and approximately 1,500 users downloaded it.
What Happened?
Released by Seaworth Interactive, PirateFi initially garnered positive reviews as a survival game set in a low-poly world, featuring base building, weapon crafting, and food gathering. However, earlier this week, Steam identified the presence of malware in the game, although the specific type was not disclosed.
Steam issued a notification stating, “The Steam account of the developer for this game uploaded builds to Steam that contained suspected malware.” Users who played PirateFi during the active period received warnings that malicious files may have executed on their systems.
Recommended Actions for Users
In light of this discovery, Steam has advised potentially impacted users to take immediate action. Recommended measures include:
- Running a full system scan with an up-to-date antivirus program.
- Checking for any unfamiliar software installations.
- Considering a complete operating system reinstallation for enhanced security.
Malware Analysis
Marius Genheimer from the SECUINFRA Falcon Team analyzed a sample of the malware linked to PirateFi and confirmed it as a variant of the Vidar infostealer. He cautioned, “If you downloaded this game, consider your credentials, session cookies, and secrets saved in your browser, email client, and cryptocurrency wallets compromised.” Users should change passwords for all potentially affected accounts and enable multi-factor authentication wherever possible.
The malware, disguised as Pirate.exe, embedded itself within a payload (Howard.exe) packed using the InnoSetup installer. Furthermore, Genheimer noted that the threat actor modified the game files multiple times, utilizing various obfuscation techniques and subsequently altering command-and-control servers for credential theft.
Intentional Targeting of Users
The inclusion of web3, blockchain, and cryptocurrency references in the PirateFi title appears to have been a strategic move to attract a specific player demographic, according to Genheimer.
