‘Cities: Skylines’ Gaming Modder Banned Over Hidden Malware

35K+ players were exposed to an auto-updater that planted a trojan that choked performance for fellow modders and Colossal Order employees.

The developer of several popular mods for the Cities: Skylines city-building game has been banned after malware was discovered hidden in their wares.

The modder, who goes by the handle Chaos as well as Holy Water, reportedly tucked an automatic updater into several mods that enabled the author to deliver malware to anybody who downloaded them.

It started last year, when Chaos launched a “redesigned” version of Harmony: a core framework project that most Cities: Skylines mods rely on to work. The author went on to similarly rework other popular mods, and he listed his Harmony redo as a core download: in other words, players would be forced to download it to get dependent mods to work.

Infosec Insiders Newsletter

But an automatic updater was subsequently discovered, hidden away in Chao’s Harmony version – an updater that enabled the modder to deliver malware to the devices of those who downloaded it. As well, the author reportedly poisoned other mods with malicious code that bogged down game-play, forcing players to download yet more tainted mods that Chaos had created as “solutions.”

According to a pinned post on the Cities: Skylines subreddit, some, but not all, of Chaos’ mods have been removed from the Steam Workshop, and the author’s accounts have been suspended.

Players Urged to Trash the Mods

The subreddit moderator who posted the warning on Saturday – kjmci – urged players to scrub their systems of anything published by Chaos.

“We recommend in the strongest possible terms that you unsubscribe from all items published by this author and do not subscribe, download, or install any mods, from any source, that may be published by this individual in future,” according to the subreddit post.

Valve has reportedly yanked several of the mods that feed into the automatic updater and has banned Chaos’ most recent accounts. However, as NME reports, the modder’s downloads now number around 35,000, meaning that the devices of tens of thousands of gamers have potentially been infected.

Chaos had developed several forks – i.e., modified and reuploaded versions – of popular mods from well-known creators, including Harmony, Network Extensions and Traffic Manager: President Edition.

Poisoning the Code Chain

Lacing Harmony with malware is particularly pernicious, given that it’s one of the mods that Chaos “redesigned.” Chaos listed the modified version as a core download, as in, a dependency for other mods that players would have to download in order for other dependent mods to work.

Among other functions, Harmony dishes out a patching library to mods that need it and hot-patches older Harmony versions – older versions that, according to Steam’s community page, are still in use by various mods.

“Users install Harmony (redesigned) for a particular reason, suddenly they get errors in popular mods. The solution provided is to use [Chaos’] versions,” kjmci told NME. “Those versions gain traction and users, and people come across them instead of the originals… and see Harmony (redesigned) marked as a dependency. Users install Harmony (redesigned) with the [automatic updating code] bundled with it. Suddenly you have tens of thousands of users who have effectively installed a trojan on their computer.”

The automatic, malware-delivering updater was found buried in Chao’s version of Harmony, according to what kjmci told NME. The moderator opts for anonymity because they’ve been targeted by Chaos in the past, they told the publication.

Some Mods Rigged with Performance-Slaying Malware

Besides inflicting the trojan on unsuspecting players, Chaos also reportedly planted malicious code that targeted fellow modders and employees of the game’s developer, Colossal Order.

This particular flavor of malware crippled game performance, according to kjmci. The resulting crummy game-play motivated users to download so-called “solutions” that Chaos advertised to help clear up the issues.

Following their fans’ complaints about the sluggish performance, the developers of the targeted mods investigated and discovered the malicious code.

Chaos Could Return

Just because Valve pulled Chaos’ accounts doesn’t mean the modder won’t be back to spread more malware. As NME notes, a loophole in the workshop rules for Steam – Valve’s digital distribution service – could allow the author to keep working on mods from another account even if his current accounts stay banned.

Besides which, just because Chaos was banned doesn’t mean that the damage is done. It could, in fact, get a lot worse, kjmci said: “What’s been implemented would let him cryptolock a bunch of machines, create a botnet (and DDoS his enemies?) or mine cryptocurrency.”

Distributed denial-of-service (DDoS) attacks are far from novel in the gaming world. Last month, for example, a massive Minecraft tournament styled after the Netflix blockbuster Squid Game known as “SquidCraft” was attacked with a DDoS attack that took down the sole (and state-owned) internet service provider in Andorra.

‘Classic’ Supply Chain Attack

John Bambenek, principal threat hunter at digital IT and security operations company Netenrich, noted that malware in games or in game mods – or even in pirated/cracked games, for that matter, is a fairly common tactic, “one that often involves American and European actors.”

He told Threatpost on Monday that using a supply chain tactic to get into more victims is “a fairly new tactic,” but unsurprising, given that “our discussion of the potential massive risks of supply chain attacks have inspired new actors to adopt them.”

Casey Bisson, head of product and developer relations at code and security provider BluBracket, told Threatpost on Monday that this is a “classic software supply chain attack similar to what we’ve seen elsewhere,,” the difference being how close it gets to the consumer end user.

“There’s lots of open source and commercially sourced software components that go into the apps and games on our mobile devices, but those supply chains are shorter and less complex relative to the components that can go into the software on servers or network devices,” Bisson said via email. “But ‘shorter and less complex’ supply chains are still vulnerable.

“Code is a vast and unprotected attack surface, and there’s no class of software that’s immune from attack. The more consumers feel these attacks on their personal mobile devices, the more they’ll demand protections.”

Companies can get ahead of consumer demands by implementing automated security practices to ensure product safety, he suggested.

Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.

Suggested articles