Overview
At the end of January 2024, a newly registered profile with a name very similar to that of a famous modder (PimpMySims4) uploaded a mod file to a mod community platform (ModTheSims). This mod was claimed to be an updated version of a The Sims 4 game mod.
A few days later, a newly registered account on a different mod community platform (CurseForge) used another famous modder’s picture and uploaded the same mod, falsely claiming it was created by the famous modder (MSQSIMS). The file in both incidents was an old mod file and caused errors to the users, preventing them from running their game.
In only a few days after, MSQSIMS confirmed that their official page on TheSimsSource had been hijacked long before they realized it, and a few of their mods were infected with malware. Other modders experiencing the same issues as MSQSIMS stepped forward, leading some major mod community platforms to close for a few days to clean up the infected files. The platform owners guaranteed that all infected files were removed, but there is no information on how the modders’ official pages were hijacked.
A member of the mod community released a tool to detect and remove the malicious files from infected machines. However, users are advised to change their passwords for any online accounts and update any important information, such as credit card numbers, that were saved on the infected machines.
Affected environment/user
The attack specifically targeted Windows machines, as the payload used to compile and upload the data was an .exe file. Some sources suggest that Debian-based Linux distributions could also be affected if they have Wine installed, a compatibility layer that allows these Linux distributions to run .exe programs.
The attack targeted The Sims 4 gamers who were using extra or customized features. The Sims4 developer team does not pre-screen, endorse, or specifically support any particular mod. Mod users are aware of the caution needed when using mods for the game, and the Sims4 developers have confirmed that they have a long tradition of supporting creativity in the community.
How malicious files spread in the wild
Newly registered accounts — The attacker used newly registered accounts with names very similar to those of famous modders or used stolen pictures from official accounts on different platforms to pretend to be these well-known modders. They uploaded malicious mods, claiming them to be the most updated versions of the existing mods.
Official page hijack — The attacker used hijacked official pages of famous modders. Several modders confirmed that their official pages were hijacked, and the attacker uploaded the malicious mod files using these official pages. There is no information on how the hijacker gained access to the official pages.
The flow of the attack
Details of the collected data
Extract data from Chromium-based browser (Chrome, Edge, Opera, Yandex)
Password
Credit cards
Cookies
History
Autofill information
Extract data from Gecko-based browser (Firefox, Waterfox, Palemoon)
Password
Cookies
History
Extract data from machine
Username
Computer name
Windows version
RAM capacity
UUID
GPU model
CPU model
Product key
IP
Country
Extract discord data (Auth token and Payment information)
Normal regular client (Stable released product)
PTB (Public test build)
Canary (Alpha test product)
Lightcord (Simple and Customizable client)
Browser (Opera, Chrome, Chrome Canary, Brave, Yandex, Edge)
Infecting discord
Bot automated chat
Data extraction
Telegram data
Steam data
Username and password
Files matching keywords (password, seed, mnemo, phrase, secret, account, etc..)
Crypto wallets
Exodus
Atomic
Does F-Secure detect the threat?
We do have coverage for the file related to the threats, the file that compile and upload the data from victim’s machine have been marked as malicious.
Conclusion
The Sims4 mod is an infostealer malware spread in the wild through game mods. The infostealer was hidden in a .ts4script file, which TheSims4 game uses to load its game resources. When the game uses the infected file, it triggers its malicious behavior, starting to search for and compile important data on the infected machine. The compiled information is then uploaded to the attacker’s server, and it is highly likely that this data will be used for more targeted attacks in the future.