A gamer in need of financial help for his cancer treatment lost over $32,000 after downloading a game from Steam that had been secretly updated with a crypto-draining virus. The gamer, who goes by the handle RastalandTV, had been livestreaming a fundraiser to raise money for his stage 4 high-grade sarcoma treatment. The game, a retro-styled 2D platformer named Block Blasters, was listed on Steam for nearly two months and had several hundred positive reviews. The malicious update was added to the game on August 30, a month after it was originally released, turning the seemingly harmless game into a threat.
The attack came to light during RastalandTV’s livestream. The game, which was published by Genesis Interactive and offered as a free-to-play title, has since been removed from Steam. After he lost his money, the gamer also started a GoFundMe campaign to cover the medical costs, and it is currently just over halfway to its goal. However, some members of the crypto community stepped in to help. Crypto influencer Alex Becker reported that he sent RastalandTV $32,500 to a secure wallet to cover his losses.
Further investigation into the attack revealed that the gamer was not the only victim. According to crypto investigator ZachXBT, the attackers stole approximately $150,000 from 261 Steam accounts. The security group VXUnderground, however, reported an even higher number of victims—478—and published a list of the usernames affected, urging those users to immediately change their passwords. It’s believed that the attackers deliberately targeted people who had a lot of cryptocurrency and were identified on Twitter, and then sent them invitations to try out the game.
Researchers have since been able to detail exactly how the malicious software worked. A group of researchers published a report detailing a batch script that first checked the victim’s computer before stealing their Steam login details and IP address, which it then uploaded to a command and control (C2) system. This allowed the attackers to take control of the victim’s account and steal their cryptocurrency.
Other researchers, like GDATA’s Karsten Hahn, also documented a Python backdoor and a StealC payload that were used in conjunction with the batch stealer. These additional components likely helped to ensure the attack was successful and allowed the attackers to steal an even wider range of data and assets from their victims. This incident serves as a stark reminder of the risks of downloading seemingly safe software, even from reputable platforms.
Reference:
