Security Threat Detected in BlockBlasters
In a recent development, gamers have been advised to exercise caution following the discovery of a malicious software issue in the patch for BlockBlasters. The popular 2D platformer-shooter, developed by Genesis Interactive, has been pulled from Steam after reports that the August 30 patch, identified as Build 19799326, contained multi-stage info-stealing malware.
Security firm G DATA reported that the patch initiated a complex attack sequence, which started with a batch script named game2.bat. This script is designed to collect sensitive information, such as IP locations, Steam login credentials, and details of installed antivirus products. The gathered data is then uploaded to a command and control server located at IP 203.188.171.156:30815/upload.
Malware Analysis and Behavior
The malware executes further actions if it identifies that only Windows Defender is the active antivirus. In such cases, it unpacks password-protected archives that contain additional harmful payloads. The batch script launches Visual Basic script files, launch1.vbs and test.vbs, to execute further malicious operations. These scripts aim to collect information about browser extensions and extract data from local cryptocurrency wallets, with exfiltrated information being sent to the same command and control server.
Subsequent scripts, such as 1.bat, have been designed to alter Microsoft Defender exclusions to omit the game's binary subdirectory. This allows the malware to execute other payloads while simultaneously launching the legitimate game, thereby concealing its true activities. Key binaries, such as Client-built2.exe and Block1.exe, have been identified as part of the attack infrastructure. These binaries include a compiled-Python backdoor and a C++ variant of the StealC stealer, which target browser data from users of Microsoft Edge and Brave browsers.
Impact and Actions Taken
The malicious activities have resulted in significant concern within the gaming community, especially given telemetry data from SteamDB and Gamalytic indicating that over 100 players downloaded the infected patch. There were typically 1–4 active players at any given time in early September, and the infection even reached a streamer during a charity livestream.
In response, Steam swiftly flagged BlockBlasters as suspicious and removed it from their store. Security experts have advised players to immediately remove the game from their systems, conduct comprehensive antivirus scans, and closely monitor their cryptocurrency wallets and accounts for any suspicious activity.
Recommendations for Gamers
For those affected or potentially exposed, it's crucial to stay vigilant. Security professionals recommend regular system checks and being wary of any unusual activity associated with online accounts. Players who suspect they have been targeted should also take note of known indicators of compromise, such as game2.bat, launch1.vbs, test.vbs, and 1.bat, which are key components of the malware's operation.
