Steam Community Profiles abused as C2 network in new WordPress malware infection campaign

News
By published

A new cheeky malware campaign abuses the comment section

Logo of Steam with game covers in the background
(Image credit: Valve)
  • Malware hides payload in Steam Community comments
  • WordPress sites used to host backdoors
  • Nearly 2,000 sites compromised since July

Security researchers from GoDaddy found a cheeky new malware campaign that used comments made by Steam Community accounts as command-and-control (C2) infrastructure.

Here is how the attack plays out: The attackers would first find vulnerable WordPress websites, or those protected by weak credentials, and use them to host PHP malware somewhere in the site’s files. For example, the sample was found in a theme’s ‘functions.php’ file. This malware contains both a JavaScript injection component, and a server-side backdoor.

Then, whenever a visitor loads the infected website, the malware contacts one of several Steam Community profiles and downloads the contents of profile comments. On surface level, these comments look harmless (albeit incoherent), but they also contain invisible Unicode characters which carry the actual payload.

Latest Videos From

Industry support

“This encoding allows binary data to be embedded within normal-looking text. The visible characters serve as camouflage while the invisible characters carry the actual payload,” GoDaddy said.

The malware then extracts the characters, converts them into binary data, and reconstructs the original bytes. The researchers found that this recovered data contains a URL controlled by the attackers, which points to a domain hosting a JavaScript file spoofing a legitimate library.

The malware then uses WordPress to load the attacker-controlled JavaScript on every frontend page, which the visitors’ browsers then download and run, infecting themselves in the process.

In the campaign, there are two sets of targets - vulnerable WordPress websites, and their visitors. Since uncovering the campaign in July last year, GoDaddy said it found almost 2,000 compromised WordPress sites. Unfortunately, the research report stops short of describing what the malware does to visitors.

If you run a WordPress website, GoDaddy recommends to check for references to Steam Community URLs, external JavaScript injections, as well as outbound connections from WordPress to Steam.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.