Cities: Skylines Modder Deployed Malicious Code through Mods, Giving Him Complete Access to Infected Systems

Bitdefender Antivirus Small Business

A mod creator for the popular PC game Cities: Skylines has bundled his work with an automatic updater that allowed him to deploy malware on infected machines.

Cities: Skylines is a city simulator with a large following on Steam. The gaming community has created numerous mods, which players could easily download from Steam’s Workshop. The proliferation of mods and players attracted the wrong kind of person — someone who wanted to deploy malware.

According to a post on the Cities: Skylines subreddit, a modder by the name “Chaos,” used the entire system and support platform to trick people into using his software. He forked an existing framework named Harmony, which many other mods use. He then forked some of the popular mods that used Harmony and tricked people into installing them by showing users fake errors when people installed anything else but his mods.

“Users install Harmony (redesigned) for a particular reason, suddenly they get errors in popular mods. The solution provided is to use his versions,” said a Reddit moderator in an interview with NME. “Those versions gain traction and users, and people come across them instead of the originals… and see Harmony (redesigned) marked as a dependency,” he added. “Users install Harmony (redesigned) with the [automatic updating code] bundled with it. Suddenly you have tens of thousands of users who have effectively installed a trojan on their computer.”

The malicious actor didn’t stop there. He also checked the SteamIDs of the users installing his mods and, if they coincided with known accounts of other modders and even developers, the software would block code inspection.

People downloaded Chaos’ mod more than 35,000 times in total, and there’s no indication that his actions have stopped, even if Valve disabled his accounts. The nature of the intrusion allows the hacker to keep his access to the systems already infected. The entire endeavor was designed to act as a trojan, but it’s unclear if the attacker has used that access in any campaigns.