Trojan Detected in BattleTech Game Downloaded via Steam

[Tetranitrocubane 1]

This morning I was downloading BattleTech, a game made by Harebrained Schemes studio and published by Paradox Interactive. I was downloading the game via Steam directly, rather than any direct link download.

While the game was installing, ESET popped up a detection warning on one of the files, as it was being downloaded by Steam. I wasn't able to screenshot it before the notice faded away, but It tagged a file EventEditor.Exe as a malicious trojan ML/Augur.

When I check the detection log, I see the following:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
5/24/2023 7:33:17 AM;Real-time file system protection;file;D:\Steam\steamapps\downloading\637090\BattleTech_Data\StreamingAssets\editors\EventEditor.exe;ML/Augur trojan;cleaned by deleting;[System and user name redacted];Event occurred on a file modified by the application: D:\Steam\steam.exe (C821F111DE338D589627899951E39620F22E4BA9).;0EF5E53D06EEB83310D694B243E2A1F2E9F135E3;5/24/2023 7:31:09 AM

I have since submitted the file for analysis via the quarantine pane of ESET.

I'm currently running a full system scan, but I find this highly concerning. Does this mean that Steam has become infected and is serving malicious files via downloaded games? The log language seems to indicate that Steam was trying to maliciously modify a file.

Another thing that worries me is that I've downloaded this game before, months ago. ESET had no issues with it then. I since deleted the game, and just this morning tried re-downloading.

Any help would be desperately appreciated.

I'm running ESET 16.1.14.0 on Detection Engine 27289P, on Windows 10 22H2 Build 19045.2965

[itman 1,659]

6 minutes ago, Tetranitrocubane said:

Does this mean that Steam has become infected and is serving malicious files via downloaded games?

I assume Steam per se is OK. It is the BattleTech game download from the Steam store that has a suspicious file within it that Augur has detected.

Have you tried to download the game from the author's web site: https://www.battletech.com/ ?

[Tetranitrocubane 1]

Just now, itman said:

I assume Steam per se is OK. It is the BattleTech game download from the Steam store that has a suspicious file within it that Augur has detected.

Have you tried to download the game from the author's web site: https://www.battletech.com/ ?

No, I haven't. The Battletech game on the website you provide is the table top RPG. The only thing available for purchase there are source books. The game available via Steam is an electronic adaptation of the game.

Additionally, sadly when a game is purchased via Steam, the license is only ever good through Steam, and not any alternative platform.

Is there risk here?

[itman 1,659]

13 minutes ago, Tetranitrocubane said:

Is there risk here?

Best to wait for Eset to confirm if it was an Augur FP detection or not.

[Tetranitrocubane 1]

3 minutes ago, itman said:

Best to wait for Eset to confirm if it was an Augur FP detection or not.

Good advice. Do you know how to check for confirmation? Will that be sent via email? Or posted here?

[Tetranitrocubane 1]

Further update to add to this:

It seems like Steam downloads assets to the "Steam\steamapps\downloading\" folder, before moving those files to the game folder proper.

Somehow, the EventEditor.exe file still wound up in the game files directory, despite ESET catching and deleting it in the downloads folder? The hash of this file seems markedly different, though. Here's a virustotal link to the GAME DIRECTORY file. ESET seems to have zero issues with it. The hash of this file also seems different from what ESET reports it deleted from "Steam\steamapps\downloading\" , which was 0EF5E53D06EEB83310D694B243E2A1F2E9F135E3.

[itman 1,659]

17 minutes ago, Tetranitrocubane said:

Here's a virustotal link to the GAME DIRECTORY file. ESET seems to have zero issues with it. The hash of this file also seems different from what ESET reports it deleted from "Steam\steamapps\downloading\" , which was 0EF5E53D06EEB83310D694B243E2A1F2E9F135E3.

The file you uploaded to VT could not be identified by VT. It certainly is not an executable. Looks like the file is corrupted.

[Tetranitrocubane 1]

4 minutes ago, itman said:

The file you uploaded to VT could not be identified by VT. It certainly is not an executable. Looks like the file is corrupted.

Wow, now that you mention it, you're right. Excellent point. That's SUPER strange.

Maybe a consequence of Steam trying to migrate/copy the file from the download staging area to the game directory while ESET deleted the file? Or something more nefarious?

I'm not sure. I'm just supremely anxious.

[Tetranitrocubane 1]

Further update: Apparently these game files haven't been changed for over two years. The game hasn't received a patch since late 2020 - Meaning this file should effectively be the same as it has been for a long while.

The only thing I can think of is that either updated detections from ESET are overzealous on this, or else Steam is infected and is maliciously modifying downloaded files with nefarious intent. Steam seems to be fine according to a scan, though I suppose if a system is compromised, that doesn't mean much.

Edited May 24, 2023 by Tetranitrocubane

[itman 1,659]

Don't assume Steam store downloads are safe in spite of their 100% malware free guarantee. A few examples to the contrary here:

https://threatpost.com/steam-gaming-delivering-malware/166784/

https://www.bleepingcomputer.com/news/security/new-malware-steals-steam-epic-games-store-and-ea-origin-accounts/

[Tetranitrocubane 1]

Those are incredibly disturbing articles, and highlight my own misplaced trust in Steam.

I appreciate your sharing them. It feel as if this could be a legitimately malicious file that Steam was serving.

[Tetranitrocubane 1]

A friend of mine who owns the game uploaded the file to Virustotal. It's A completely Different Hash.

I have no idea what is going on at this point.

[itman 1,659]

15 minutes ago, Tetranitrocubane said:

I have no idea what is going on at this point.

I do. Whatever was downloaded to your PC is not a legit version of EventEditor.exe.

You might contact Steam and present them with these events. At the minimum, get a SHA1 hash for the current legit version of EventEditor.exe from them. That can be compared against the hash from the Eset detection log entry.

[Tetranitrocubane 1]

Comparing SHA1 hashes to other people who legitimately and previously downloaded this game confirms the hash doesn't match.

Legit hash: 27f111c3a6a7d9fb2ac9531f3d8118e072cca33e

Suspicious hash: 0EF5E53D06EEB83310D694B243E2A1F2E9F135E3

I appreciate what you are saying, but trying to contact Steam is futile. They do not respond to these requests or inquiries. 

[Tetranitrocubane 1]

I briefly unquarantined the file, and scanned via Virus Total:

Here's the VirusTotal Report.

Two detections, neither ESET.

ESET flagged the file again on removing from quaratine. 

Edited May 24, 2023 by Tetranitrocubane

[Tetranitrocubane 1]

Interesting development in this story:

I sent the flagged EXE to a friend of mine, who had a theory.

Opening the legitimate EXE in a hex editor, and comparing to the flagged EXE opened in that same hex editor revealed something interesting - The files are identical to a point. Then the flagged file becomes nothing but zeros for the rest of the file.

After hex code 001FFFF0, the flagged file becomes nothing but zeros for the rest of the file.

The legit file has identical data for 001FFFF0 and prior:

 

Is it possible Steam might've downloaded only a partial file, and that somehow got flagged?

[Marcos 5,074]

The file doesn't run so it's likely corrupt as you assumed.

[itman 1,659]

Backing up a bit, another theory.

Refer back to the Eset Detection log entry. Notice the activity flagged was steam.exe modifying EventEditor.exe. Now I checked the hash shown for steam.exe at VT and its clean. However, it could be that something injected stream.exe memory while executing and that something is what attempted to modify the EventEditor.exe download. Augur stopped the modification while in-process which would account for the binary zeros you observed in the EventEditor.exe copy in Eset quarrantine, This "smells" like malware process hollowing activity which in stage one, clears a portion of process memory while its in a suspended execution state, and then injects the malware code in the previously cleared memory space. In this instance however, the modified process wasn't executed but rather, would've been saved to disk.

If my above theory is correct, it's almost impossible to determine what injected steam.exe memory since Eset didn't detect that activity. Also, given the "flakey" things Steam does, it remains to be determined if the above activity is actually malicious.

What Eset needs to do is repeat the whole Steam download process in a sand-boxed/vitual environment and determine if this activity is malicious

Edited May 24, 2023 by itman

[Tetranitrocubane 1]

10 minutes ago, itman said:

Backing up a bit, another theory.

Refer back to the Eset Detection log entry. Notice the activity flagged was steam.exe modifying EventEditor.exe. Now I checked the hash shown for steam.exe at VT and its clean. However, it could be that something injected stream.exe memory while executing and that something is what attempted to modify the EventEditor.exe download. Augur stopped the modification while in-process which would account for the binary zeros you observed in the EventEditor.exe copy in Eset quarrantine, This "smells" like malware process hollowing activity which in stage one, clears a portion of process memory while its in a suspended execution state, and then injects the malware code in the previously cleared memory space.

If my above theory is correct, it's almost impossible to determine what injected steam.exe memory since Eset didn't detect that activity.

I'm torn. Itman, that sounds like a theory I hadn't considered, and is plausible. 

Though I will note: On a redownload of the game, I went into the download directory early on in the download process, and found EventEditor.exe in the path ESET had previously flagged. When I examined THIS file, it was ALL zeros. Steam proceeded to download the legitimate file, that matched previous SHA-1 hashes. ESET didn't make a peep this time around.

Steam pre-allocates files before beginning downloads, so there's a chance that the reason the flagged file has all those zeros is that Steam downloaded a portion, then stopped, then ESET scanned it.

However, I cannot verify that.

What course of action would you recommend from here? I have done a full system scan. It has come back negative. But if your theory is correct, whatever is trying to do this injection is already invisible to ESET.

 

10 minutes ago, Marcos said:

The file doesn't run so it's likely corrupt as you assumed.

Thank you for verifying, Marcos! 

Do you have any idea why this file would be flagged in the manner it was? If it's not too much trouble, could I ask for your risk assessment of this situation? 

Edited May 24, 2023 by Tetranitrocubane

[itman 1,659]

1 minute ago, Tetranitrocubane said:

Do you have any idea why this file would be flagged in the manner it was? If it's not too much trouble, could I ask for your risk assessment of this situation? 

I edited my last post to include;

12 minutes ago, itman said:

Also, given the "flakey" things Steam does, it remains to be determined if the above activity is actually malicious.

What Eset needs to do is repeat the whole Steam download process in a sand-boxed/vitual environment and determine if this activity is malicious

 

[Tetranitrocubane 1]

Two more interesting things I noticed in the ESET logs.

First, when I scanned the un-quaratined EventEditor, it did register as malicious directly. It recognized it as ML/Augur trojan, again. So It seems that ESET does take exception to this file specifically - Not just what potentially was being injected to Steam.exe at the time, and was prevented.

 

Second, I noticed in the Event logs that ESET uploaded a file from my computer "UnityPlayer.dll' to ESET. I did not submit this file, nor was I notified of a suspicious file on my system that ESET was automatically uploading. I've never seen this before and there are no other examples of it in the logs.

"Time;Component;Event;User
5/24/2023 11:48:28 AM;ESET Kernel;File 'UnityPlayer.dll' was sent to ESET Virus Lab for analysis.;SYSTEM"

This time would have coincided with the second download of BattleTech from Steam.

[itman 1,659]

Since it appears you have a legit copy of EventEditor.exe in your possession, you could try copying it to the associated Steam download directory. Then test if the game can be installed and if it runs correctly.

[Tetranitrocubane 1]

I managed to get the legit copy by deleting the previous install and redownloading from Steam. The second time it downloaded, no detections. The game installs launches fine after the redownload.

Not sure if the "UnityPlayer.dll" submission was from the redownload or not - there was not a path provided by ESET.

[Tetranitrocubane 1]

ESET is now sending multiple files to the ESET Virus Lab without explanation or notification. Again, ESET has never done this before.

It seems to be sending it's own sysinpector logs for some reason? The timing makes zero sense. I was not accessing Sysinpector or  these files at the time of submission.

Could this be related to what's going on? Why is ESET flagging and sending things suddenly? These are files that have been around for some time.

Edited May 25, 2023 by Tetranitrocubane

[Tetranitrocubane 1]

As this file submission issue may be an unrelated event, I will open a new thread about it in the appropriate subforum