The developer of several popular mods for the Cities: Skylines city-building game has been banned after malware was discovered hidden in their products.
35k+ players were exposed to an auto-updater that planted a trojan that damaged performance for fellow ‘modders’ & Colossal Order employees.
The ‘modder,’ who goes by the handle ‘Chaos’ as well as ‘Holy Water,’ reportedly put an automatic updater into several mods that enabled the author to deliver malware to anybody who downloaded them.
Harmony
It started in 2021, when Chaos launched a “redesigned” version of Harmony: a core framework project that most Cities: Skylines mods rely on to work. The author went on to similarly rework other popular mods, & he listed his Harmony redo as a core download: thus, players would be forced to download it to get dependent mods to function.
An automatic updater was then found, hidden in Chao’s Harmony version – an updater that enabled the modder to deliver malware to the devices of those who downloaded it.
Malicious Code
Also, the author reportedly poisoned other mods with malicious code that affected gameplay, forcing players to download yet more tainted mods that Chaos had created as “solutions.”
According to a pinned post on the Cities: Skylines subreddit, some, but not all, of Chaos’ mods have been removed from the Steam Workshop, & the author’s accounts have been suspended.
Players Asked to Trash the Mods
The subreddit moderator who posted the warning on Sat. – kjmci – urged players to ‘scrub’ their systems of anything published by Chaos.
“We recommend in the strongest possible terms that you unsubscribe from all items published by this author & do not subscribe, download, or install any mods, from any source, which may be published by this individual in future,” stated the subreddit post.
Valve has reportedly ‘pulled’ some of the mods that feed into the automatic updater & has banned Chaos’ most recent accounts. However, as NME reports, the modder’s downloads now number circa 35,000, meaning that the devices of 10s of 1,000s of gamers have potentially been infected.
Chaos had developed several ‘forks’ – i.e., modified & reuploaded versions – of popular mods from well-known creators, including Harmony, Network Extensions and Traffic Manager: President Edition.
‘Poisoning’ the Code Chain
Mixing Harmony with malware is particularly nasty, given that it is one of the mods that Chaos “redesigned.” Chaos listed the modified version as a core download, as in, a dependency for other mods that players would have to download in order for other dependent mods to work.
Among other functions, Harmony dishes out a patching library to mods that need it & hot-patches older Harmony versions – older versions that, states Steam’s community page, are still in use by various mods.
“Users install Harmony redesigned for a particular reason, suddenly they get errors in popular mods. The solution provided is to use Chaos’ versions,” kjmci told NME.
Automatic Updating Code
“Those versions gain traction & users, & people come across them instead of the originals & see Harmony redesigned, marked as a dependency. Users install Harmony redesigned with the automatic updating code bundled with it. Suddenly, you have 10s of 1,000s of users who have effectively installed a trojan on their computer.”
The automatic, malware-delivering updater was found concealed in Chao’s version of Harmony, according to what kjmci told NME. The moderator opts for anonymity because they have been targeted by Chaos in the past, they told the publication.
Performance-Slaying Malware
As well as giving the trojan to unsuspecting players, Chaos also reportedly planted malicious code that targeted fellow modders & employees of the game’s developer, Colossal Order.
This particular type of malware damaged game performance stated kjmci. The resulting ‘crummy’ game-play motivated users to download so-called “solutions” that Chaos advertised to help ‘clear up the issues.’
After fans’ complaints about the sluggish performance, the developers of the targeted mods investigated & discovered the malicious code.
Could Return
Just because Valve pulled Chaos’ accounts does not mean the modder will not return to spread more malware. As NME explained, a loophole in the workshop rules for Steam – Valve’s digital distribution service – could let the author to keep working on mods from another account even if his current accounts stay banned.
Besides which, just because Chaos was banned does not mean that the damage is done. It could, in fact, get a lot worse, kjmci said: “What’s been implemented would let him cryptolock a bunch of machines, create a botnet (& DDoS his enemies?) or mine cryptocurrency.”
Distributed denial-of-service (DDoS) attacks are far from new in the gaming world. In Jan., for instance, a massive Minecraft tournament styled after the Netflix blockbuster Squid Game known as “SquidCraft” was attacked with a DDoS attack that took down the sole (& state-owned) internet service provider in Andorra.
Supply Chain Attack
John Bambenek, Principal Threat Hunter at digital IT & security operations company, Netenrich, noted that malware in games or in game mods – or even in pirated/cracked games, is a fairly common tactic, “one that often involves American & European actors.”
He explained that using a supply chain tactic to get into more victims is “a fairly new tactic,” but unsurprising, given that “our discussion of the potential massive risks of supply chain attacks have inspired new actors to adopt them.”
Consumer End User
Casey Bisson, Head of Product and Developer relations at code & security provider BluBracket, outlined that this is a “classic software supply chain attack similar to what we’ve seen elsewhere,,” the difference being how close it gets to the consumer end user.
“There’s lots of open source & commercially sourced software components that go into the apps & games on our mobile devices, but those supply chains are shorter & less complex relative to the components that can go into the software on servers or network devices,” Bisson suggested. “However ‘shorter & less complex’ supply chains are still vulnerable.
Unprotected
“Code is a vast & unprotected attack surface, & there’s no class of software that’s immune from attack. The more consumers feel these attacks on their personal mobile devices, the more they’ll demand protections.”
Companies can get ahead of consumer demands by implementing automated security practices to ensure product safety, he concluded.