malicious backdoor found in widely used game mod by Low Level [YouTube] (www.youtube.com)
from thingsiplay@beehaw.org to gaming@beehaw.org on 10 Nov 17:43
https://beehaw.org/post/16990597

Invidious, an alternative YouTube client in the browser without using YouTube directly (more private): inv.nadeko.net/watch?v=VH_8arwuRz8

Video Description:


This is why I don’t download game mods. Another backdoor has been found, this time in a popular modular for City Skylines 2 by paradox games. Checkout what happened in this video.

reddit.com/r/antivirus/comments/1gh4qp0/popular_mod_for_a_game_may_have_been_malicious_no

#gaming

threaded - newest

Telorand@reddthat.com on 10 Nov 18:36 next collapse

Tldr: it’s a crypto wallet stealer.

Always be wary of unknown code. Check comments on sites like Nexus. Run installers through virus checks.

Poopfeast420@discuss.tchncs.de on 10 Nov 19:14 next collapse

If I understand it correctly from the reddit post, this was a popular mod, that you could get directly in-game, so probably available through the Steam Workshop or something. In that case you assume everything is fine and don’t really check out, if there’s something wrong.

Telorand@reddthat.com on 10 Nov 19:31 next collapse

Man if that’s the case, that really sucks.

circuitfarmer@lemmy.sdf.org on 10 Nov 23:27 collapse

It is a CS2 mod – CS2 lacks Steam Workshop support. Paradox did not put it in, in favor of their own mod platform.

There was a lot of beef about the lack of workshop support, but it means it was on Paradox’s platform, if anything.

teawrecks@sopuli.xyz on 10 Nov 23:58 collapse

Wonder if steam workshop scans for this kind of thing, or if it would have otherwise been found quicker.

thingsiplay@beehaw.org on 11 Nov 00:17 collapse

This mod had some clever tricks to avoid detection from Antivir scanner. Not sure how deep and complex the Steam Workshop antivir scanner goes (if any). Hard to say if they would have found and prevented it. However, all antivir and other scanner software learned from this and now every malware using this technique could be detected instantly. At least in theory.

Poopfeast420@discuss.tchncs.de on 11 Nov 03:47 collapse

Steam has some basic scans, but nothing special. This kind of thing happened before, with mods and even games.

thingsiplay@beehaw.org on 11 Nov 03:50 collapse

I would assume so. Did this happen in Steam Workshop?

Poopfeast420@discuss.tchncs.de on 11 Nov 04:04 collapse

Yes. Apparently there were enough mods like this, that someone made a list to unsubscribe from them:

steamcommunity.com/sharedfiles/filedetails/?id=27…

Also, this time it’s the first Cities Skyline, I don’t know of any other games, but it wouldn’t surprise me.

FarceOfWill@infosec.pub on 11 Nov 09:49 next collapse

There were rumours about one for rimworld but I’m not sure if it was real or on steam.

bekopharm@discuss.tchncs.de on 13 Nov 10:35 collapse

Heh, madlads :D Modern problems require modern solutions 👍

DarkThoughts@fedia.io on 10 Nov 19:47 next collapse

At least name the mod.

[deleted] on 10 Nov 23:25 collapse

.

[deleted] on 11 Nov 03:57 collapse

.

Fitik@fedia.io on 10 Nov 20:43 collapse

What's the name of the mod?

theangriestbird@beehaw.org on 10 Nov 21:11 collapse

Paradox posted this the other day: paradoxinteractive.com/…/traffic-breach-statement

I think it’s just called “Traffic”? It’s still early days for CS2 mods, not that weird for a mod to have such a generic name.

Fitik@fedia.io on 10 Nov 21:47 collapse

Thanks for the info!