Researchers from security operations company Ontinue AG today are warning of a new PlugX Remote Access Trojan campaign that is targeting Steam users.

PlugX is a RAT malware family that has been around since 2008 and is used as a backdoor to control a victim’s machine. Once an infection takes place, a hacker can remotely execute several types of comments on the affected system.

Though initially delivered through phishing emails and deceptive files, a new variant that first emerged in February 2023 propagates via infected USB drives, marking a shift in strategy. The new variant has also seen a shift in who is targeted, with those using the PlugX variant expanding from government entities to general users on platforms such as Steam.

The new variant, which is being actively used in the wild, uses “DLL side loading” as a core tactic. With an infected USB drive, an executable named “.exe” signed by Beijing Hongdao Changxing International Trade Co. Ltd. is launched. The execution triggers the creation of steam_monitor.exe (signed by Valve) along with several other DLL files and executables. Though most of these files serve as obfuscation layers, only a few perform the core malicious tasks.

The “.exe” file creates a registry key called “Steam Monitor” to run crashhandler.dll at startup, keeping the malware active. The DLL then starts IDMan.exe, a file that connects to a malicious IP address for command-and-control and data theft. Additionally, steam_monitor.exe uses a Windows error reporting process to steal stored browser credentials, making it hard to detect.

Chinese links

PlugX has been attributed in the past to alleged Chinese state-sponsored actors and the same is believed to hold true for the new variant. However, it has been used by non-Chinese hacking groups as well, notable among them the allegedly Russian or Eastern European ransomware gang Black Basta.

The switch to targeting members of the public — civilians as described by the researchers — is claimed to be part of a broader effort to infiltrate environments where valuable information is accessible. The fact that the new PlugX variant just happens to be targeting Steam users is a consequence of that, with many people playing games online using Steam.

Thanks to the complexity and stealth features used by the PlugX Steam variant, Ontinue’s researchers advise that robust security measures are required to protect against possible infiltrations. They include implementing endpoint detection and response tools to identify and mitigate threats through behavioral analysis and anomaly detection.

Companies are advised to undertake regular security audits and penetration testing to uncover vulnerabilities and strengthen defenses. Enhancing user awareness and training on phishing attacks and safe USB practices should also be part of the mix.

Image: SiliconANGLE/Ideogram