Article

Malicious mods: the Sims 4 infostealer threatens gamers’ security

Two characters playing surrounded with alarm notifications
Nadzreen Aqil
Nadzreen Aqil
|
Sep 10, 2024
|
4 min read

Overview

At the end of January 2024, a newly registered profile with a name very similar to that of a famous modder (Pimp­My­Sims4) uploaded a mod file to a mod community platform (Mod­The­Sims). This mod was claimed to be an updated version of a The Sims 4 game mod.

A few days later, a newly registered account on a different mod community platform (Curse­Forge) used another famous modder’s picture and uploaded the same mod, falsely claiming it was created by the famous modder (MSQSIMS). The file in both incidents was an old mod file and caused errors to the users, preventing them from running their game.

In only a few days after, MSQSIMS confirmed that their official page on The­Sims­Source had been hi­jacked long before they realized it, and a few of their mods were infected with malware. Other modders experiencing the same issues as MSQSIMS stepped forward, leading some major mod community platforms to close for a few days to clean up the infected files. The plat­form owners guaranteed that all infected files were removed, but there is no information on how the modders’ official pages were hijacked.

A member of the mod community released a tool to detect and remove the malicious files from infected machines. How­ever, users are advised to change their pass­words for any online accounts and update any important information, such as credit card numbers, that were saved on the infected machines.

Affected environment/user

The attack specifically targeted Windows machines, as the payload used to compile and upload the data was an .exe file. Some sources suggest that Debian-based Linux distributions could also be affected if they have Wine installed, a compatibility layer that allows these Linux distributions to run .exe programs.

The attack targeted The Sims 4 gamers who were using extra or customized features. The Sims4 developer team does not pre-screen, endorse, or specifically support any particular mod. Mod users are aware of the caution needed when using mods for the game, and the Sims4 developers have confirmed that they have a long tradition of supporting creativity in the community.

How malicious files spread in the wild

  1. Newly registered accounts — The attacker used newly registered accounts with names very similar to those of famous modders or used stolen pictures from official accounts on different platforms to pretend to be these well-known modders. They uploaded malicious mods, claiming them to be the most updated versions of the existing mods.

  2. Official page hijack — The attacker used hijacked official pages of famous modders. Several modders confirmed that their official pages were hijacked, and the attacker uploaded the malicious mod files using these official pages. There is no information on how the hijacker gained access to the official pages.

The flow of the attack

 

Details of the collected data

Extract data from Chromium-based browser (Chrome, Edge, Opera, Yandex)

  • Password

  • Credit cards

  • Cookies

  • History

  • Autofill information

Extract data from Gecko-based browser (Firefox, Waterfox, Palemoon)

  • Password

  • Cookies

  • History

Extract data from machine

  • Username

  • Computer name

  • Windows version

  • RAM capacity

  • UUID

  • GPU model

  • CPU model

  • Product key

  • IP

  • Country

Extract discord data (Auth token and Payment information)

  • Normal regular client (Stable released product)

  • PTB (Public test build)

  • Canary (Alpha test product)

  • Lightcord (Simple and Customizable client)

  • Browser (Opera, Chrome, Chrome Canary, Brave, Yandex, Edge)

Infecting discord

  • Bot automated chat

  • Data extraction

    • Telegram data

Steam data

  • Username and password

  • Files matching keywords (password, seed, mnemo, phrase, secret, account, etc..)

  • Crypto wallets

    • Exodus

    • Atomic

Does F-Secure detect the threat?

We do have coverage for the file related to the threats, the file that compile and upload the data from victim’s machine have been marked as malicious.

Conclusion

The Sims4 mod is an infostealer malware spread in the wild through game mods. The info­stealer was hidden in a .ts4script file, which TheSims4 game uses to load its game resources. When the game uses the infected file, it triggers its malicious behavior, starting to search for and compile important data on the infected machine. The compiled information is then uploaded to the attacker’s server, and it is highly likely that this data will be used for more targeted attacks in the future.

devices secured illustration

Protect every­thing you do online

Make staying safe online easy with one app that does it all.

total app on different devices

Protect everything you do online easily with F‑Secure Total

Protecting your digital life is easy with F‑Secure’s unrivaled protection, helping you and your family to stay safe against online scams, malware, identity theft, unsafe Wi-Fi networks and much more.

  • Stay safe when banking, browsing, and shopping online

  • Stop malware with top-rated antivirus software

  • Protect your personal data online and prevent ID theft

  • Create strong pass­words and store them in a secure vault

  • Safeguard your privacy with unlimited VPN

Read more about Total