It's in the Game: Spreading Malware Through Sims 4 Mods

[laughter] Thanks so much. Uh thanks for watch lovely welcome. Um I'm like I said I'm I'm Rebecca. Um currently a senior security aquote believe it or not. Um which gives hope to all of you. So if the bucket like me you can become senior. So you know I use lem pronouns. Um I I quite like parrots as you can probably tell. Um you can see like I want I was over at Talon uh Estonia um a couple weeks ago and I found petting zoo and I was just like living the dream. Um we it's this talk is kind of like a we like a personal um interest of mine because I actually used to mod back in

the day um back in the good old times of the mid 2000s um kids get off my lawn. Um, I don't have social media apart from LinkedIn. So, if you want to send hate mail, I'll send it there. So, and you'll notice I'm not very good at doing slides, but you know, graphic design is truly my passion. I've made that joke so many times. I don't apologize. Um, so quickly agenda today. Um, going to talk about the quick history of the Sims franchise and the community. Um, how the these mods were compromised and the community response and antivirus. So quickly timeline for um the games if you're not familiar. So as well as a couple of major players in the Sims

community. So let's go to 1989 when the Sims series was born with the release of Sim City. Um Maxis who created um Sim City wanted to explore what a selling building game would be like. Um hugely popular and um spanned helped to spawn a whole series of games of all them all. I feel like we'll probably be still be 45 minutes and we'll still be talking and I don't think you'd be interested in that. So, let's not do that. Like there's a couple games like some C series some earth on no on no on no on no on no on no on no on no on no on no on um in 1999 um game focusing on people

who live inside Sim City knows the Sims was actually in development since 1991 when Will Wright the man who came up with the Sims lost his house in a wildfire and got inspired by rebuilding his house and rebuilding his life. It was officially announced in 19 early 1999 via a trailer Google S3000 the best sens. So if you disagree you're wrong. Um via trailer and excitement quickly grew for this new offering from Maxis fan sites were created to or discuss the sims including the sims resource and it was founded within this year. Um remember this name because it'll be very important. Uh Maxis encouraged his new community as they done for all the all the rest of their games by releasing uh

modding tools uh even before the game released um which gladly embraced and these fan sites hosted many downloads um mostly just like wallpapers and skins and stuff but it was a start. Um also also in this like so what Sims resource was founded this year in this year um also in this year life journal was founded which would become major hub for Sims community in the mid200s I had one um most people have one you know it's a bit of a throwback we then seed on to Yuk which when the world was supposed to end with the Y K bug and with the state of the world right now it's maybe a bit of a shame that it didn't end um and a

little game known the seven has created a little well-known game. Um, we never heard from the Sims again. Um, no joking. Um, so this was the game that launched many expansion packs and the Sim series. It's still going on to this day. Um, four years later, The Sims 2 was released, changing from the originals isometric um, perspective for fully 3D camera and focused on playing a soundly few generations by adding more life stages over the first games 2.5 life stages and aging. This is in fact just just as or if not more popular than the first game and uh modding company soon formed around it with Sims mod the Sims 2 not just mod the Sims was also

created early in the same year before release much like the Sims resource it would become a major place for the community to upload their mods and I have a note here that says also the Sims game is the best Sims 2 is the best game in the series and no I'm not biased because you mod for it and if you disagree you are wrong and if you ask me the questions that Um, you know, Rebecca, you're wrong. No. Um, so soon after in two soon after in 2007, Tumblr was created, which would serve as one of the main hubs for community back in the early 2000s and still is to this day. Um, I had the live journal, a dream

with, which is a fork of uh live journal when it was white Russian oligarch. Don't ask me about that. And uh Tumblr and no, you cannot have the links. you don't want to read when I was writing when I was 14 or or to my early 20ies. And I don't either. I don't even remember those times. Thank you very much. Uh my good times were had with my totally legally acquired Photoshop and Milkshake. Just for the record, I you know, I'd never seal the high seats. But, you know, if you ask me at the after party, maybe I have. You never know. Uh moving on. um the Sims series um continuing advance of the release of

the Sims 3 in 2009 which um focused on the world around the Sims and Sims 4 in 2014 believe it or not um which serve as soft reboot and the main focus for today. You will also see here that at the very last uh entry in my timeline um I've mentioned the incident and no it's not an excuse for me to find cool art novio uh um paintings of Pandora's box um which is brought up I'm starting research about this and I would like to describe it as opening Pandora's box in regards to the malware potential Sims 4 had um Pandora's box is a Greek myth um basically this we all called Pandora opened this box and loo all the bad

things in the world And uh really the last thing was the box was a thing called hope which you know I have no hope so it's okay. Um [clears throat] but we'll come back to this later. Like I said before uh Maxis and EA have always been supportive for the modding community helps keep interesting game alive and even Sims 4 they have creators making impact for them so they can uh rip you off more. Um they uh even released tools from the community for the game released such as homecfter and body shop to help create hype for the game for release. So it's basically free advertisement. Um community soon grew uh either by creating your own fan sites,

uploading to mods hubs like um Sims Force or mod the Sims or joining communities over the first live journal and then Tumblr. Um this sorry this support um continued into the Sims 4 era. Um there's an important very important change made um with the release of the Sims 4. It uses XML tuning to uh control game behavior. So like you you tell your team to go I don't know sit in the toilet or something like that that's controlled by XML um modders when they got the hands they create to create CS4 script files which I'm going to build up here um which Ian officially supported and you'll never guess what uh CS4 script files is. Um I

kind of noticed like my personal uh terminal background does not really gel well with that um my background but hey graphic design is still my passion. You might be wondering why I'm unzipping this. And can anyone tell me what uh files these are? And if you say Ruby, I swear to God. Yeah, it's Python. Um, compile Python and uh regular old Python as well. So, I just kind of like found a regular old model of the model sims to show you this. Um, as you can see, it's like it's basically like a glorified zip file that can it's it's easier to share um with um other creators and other um people who want to download it. Um so, and here's a

sample of one of these contents of one of these Python files. It's not related to malware. I just kind of picked up and thought it's a really good example. Um and you can see here it doesn't really look much different from a regular Python file. you might encounter dayto-day. And since we now know that these are just regular old Python files, it's also important to know that you can do anything you can do with regular old Python and place it in a TS4 file. It does not does not deal with just game behavior. So say you know checking the file system, deleting files, creating files, downloading files, um making requests out to the internet just to random sites. Stuff like this

can possibly like you know it's a bit benign on the surface but can possibly misused by the attacker. Now most mod offers do not misuse this. I will say this now. if mod offers need to um reach out to the internet. It's supposed to tell the user there's new update out please update your mods otherwise you know I don't know just don't I guess um but I think it's important I mention this to remember that you know there is a potential for these features to be misused as we can see in this next story we will then go on to and also you can see a parrot like you know doing stuff um I will also note that EA has been

very very hands-off for the community has very historically and recently the only thing they've really got involved with is once people were making like abuse mods involving children and pets that was when they got involved but historically you know AI has done nothing and you know I'm surprised too EA the famously uh the famously pair loving company I I'm surprised um so as I mentioned the incident I've kind of built this up here um but it's important to cover up I've use. I kind of like comparing it towards boxes. I think it's pretty similar and also it's a really nice painting as well. I hope you appreciate it. Um it basically opened the floodgates and what um TS4

scripts files can do and when using when I was doing my research for this talk I was agreed in my view that this is important and this kind of got swept under the rug. Um originate as an argument between two modders which from my time in the community is pretty common. Um I've involved in my own slap fights as well. So that's another reason why [laughter] I don't want to relive those slap fights. Um however this situation differs from the usual graphites that moers get involved into this involve two mergers called Turbo Driver who is very well known in some score community for making SFW mods and another individual known as Colonel Nutty who will

No worries. Thanks so much. My talk was not indeed that bad. It's okay, lads. We're back. [laughter] Um, so basically, Kronut, this guy who's accused of allegedly making mods that enable abuse towards animals and children. U very illegal stuff. um kernel and making the successful mods. Actually took some of Turbo driver's code about permission. Um sometimes it was pretty common to share code. Some modders can be a wee bit touchy about using their code. Um like when I moed I was like yeah just do do whatever you want. Just don't do everything illegal and don't charge for it as well. Um but in fact Turbo Driver told him not to use their code because they were disgusted

by what he was doing. like it's like no please don't make illegal stuff in my code thank you very much and in retaliation um driver made a function within their mods that detected that any curl not used to sable mods within the same mod folder um we replace functions that these mods shared um along with empty function that did and returned nothing essentially breaking those mods and Colonel NY as you can probably guess was not very happy um he was like whoa whoa why you breaking my mods for that's not really nice um even for I'm doing illegal stuff but hey um after was like and so he had a wee bit of a fit and he

revealed all this to the public to make sure Turbo would ever look bad and after this was returned to the public apologized um and it was never intention to create malware um even through they kind of did um while this incident was forgotten until one of the main malware incidents occurred in January 2024 opened floodgates to what was possible for the micious all of the scripting mods could have. Um, I wanted the point that there should have been more attention pageless. Um, it's kind of swept under the rug rug until the closed malware instance happened and was like, whoa, this is new and it's like, no, this happened before and we didn't pay attention and now we're screwed. Um, but

I think that's the life of security. Am I right? Um, so now we know the pre prelude to this malware instance. Um, I kind of wanted to go over like the typical Sims player profile, like what like who are the people downloading these mods, the scripted mods in the first place? Like who who what who would an attacker try to um go for? As you can see here, like um I've got a really good part representation of your typical Sim player. No, I'm joking. Uh mostly they're casual gamer. um you know they're interested in adding more behavior to the game like you know like I don't know running a cult or I don't know making the farm personally I quite

like the farm but just from Balamina um most most sim players usually use Windows um with a small percentage using Macs and extremely small percentage um using Linux. So that would be our target to our main sorry our main target audience and they're not very techly minded. Um, I remember I have fond memories of dealing with people who if you gave them clear instructions on what to do, they wouldn't listen and be like, "Why is my thing not work?" I mean, like I mean, again, insecurity. I'm used to this now. Um, uh, there's a reason why read the freaking man. Um, that's the way of saying it, right? Um, it's a really popular sim small offers

in the Sims community. um they just not very good at that like and also like they're not very security focused either like the use passwords or the show and yeah it's not really fun. So that's now that we understand like the main victims of any attacks we I'm going to have a we talk about um [laughter] um the attack attacks that happened. Um, I found this image um when I was looking up write-ups for this and I love it. I want to use it for any writeups I do like the malware apocalypse like I mean yeah it's a bit overkill but I I thought it was funny. So in January of there severances new malware in sorry one

second. [laughter] Um there has been like no now I bring this up there it has instance before where malware has been bundled with downloads but mostly in the downloading of them like some sites would um try to make a we bit extra money would use uh dodgy link projectors like ad add ad.fly fly that would show you ads in return for we bit money and while people download your ads. The problem is these sites didn't vet what ads you're using and um you know you often got we bit a side of malware with your Sims downloads. So bit fun but however these instance I'm going to talk you discuss you are totally new for the Sims we need

to deal with. Um there were several instances of these new malware instances throughout 2024 and even in 2025. That's 2025 is kind of like a bit of a footnote. Um we're also discussing the third the first three uh things in the timeline here. So the first instant occurred in January and February 2024. Several famous moders known MPS SIMs um had their TSR on their fan site accounts compromised by a to a known attacker who then proceeded to upload um update server sorry [snorts] versions of several existing mods and post in the community containing malware uh within it TS4 script path which I'll soon talk about don't worry you know that's what you're here for um it's

important to note that MPS sims is relatively active during the time and they're very popular model with um I'm not going to I I don't think my discalia would uh let me say a lot of numbers but it's quite big um so yeah you see they're really popular model um it's important to note that they're very active and they upload regular TSR uh to source making it unlikely that anyone would have suspected that the their their mods were compromised until it was too late There's also instance occurring the same time of the same by these same attackers. I create a new account in fan site mod the Sims I mentioned earlier trying to impersonate the moder.

Would you guess what the account was called? P my Sims. So it was kind of like off by one error. Um I would make that programmer joke but you know um I can't remember it right now. So you'll have to deal with that. So it looked very similar to the real model's name um with that new account. a similar tactic to what they did with the uncompromised accounts by uploading um I supposedly updated mod the cult mod um which then again came malware at the time uh P my Sims 4 wasn't active uh since 2022 according to Patreon which was last updated in August of 2024 not even mentioning the malware just like hey guys sorry I'm away what's happened

[laughter] um and you know it's also important to note that this model did not use the upload to mod the Sims instead preferring to use Tumblr and Patreon. It's not completely under questions a question for modders to switch up. Um where they upload their mods to um I've certainly switch up where uploads my mod too. Like I've switched from live channel to stream with Tumblr but still very suspicious where actor being active over a year they upload to a totally new site. I probably could see why people get tricked be like oh flip they're back. Happy days and they blown to a new site. Let's go. Um but um that's I can yeah um if that wasn't enough the same

attacker also created new accounts to the website Chris Forge >> again very popular modding website for not just Sims 4 but for other games as well completely un linked to other modders um they upload um one of the same comp compromised mods that they upload during the compromise of MQ Sims uh MQSIM sorry um including storing images from the same modder which, you know, props for being lazy, I guess. Um, this is probably the least likely way to fool people. If they recognized um zone images from a new user, they probably wouldn't download it and uh would hopefully report it, but you know, you never know. Um, or my mods were uh also uploaded to NSW mod sites, um, which I'm

not going to link here because bit too hot for B sides. All right. Um um the attackers you can see here the attackers tried to hit a var range of targets here from um compromising known and trusted accounts um from just creating for a couple of fourway accounts and crawling a day. Um so the same incident this other incident occurred in the same method of attack in November of 2024 where two creators twisted Mexi you will notice in there and Moxy Mason had their Mim accounts compromised again known attacker we're not too sure if the same attacker but the same method of malware you know it might be the same guy um instead of using our existing TS4 script to spread

malware they said create their own and said be we bit original and just snuck it in the TS4 script file which you opened up the like if you unzipped those you'd be like oh that's what's we bit sus why is there new fonts here new files here but like mos add new files all the time so it might not really stick out again it's also important to note that these accounts were both effectively abandoned if you see the three tumble weed there with twisted Mexi um they their last proper upload was in 20 2018 and Moxy Mason if you believe it and then the glorious year of 2022 no sorry 2012 Sorry. Um, if you can

see here, Justin Mexi even had a note on their account saying, "I'm not going to upload here anymore. Please go to my website, my Patreon." And you know, yeah. Um, so there was also another incident, if I go back here, the very last bit where the guy was like, "Right, I've had enough of writing Python. I'm just going to stick an EXE file on some downloads and hope people click it." Um, if I was being charitable, I would say brazen. I'm not going to be charitable because as we'll see here, um, code's awful. So, I'm just going to say lazy. So, now that we've went over the main incidents, we're going to show you the malware. And

as you can see here, 24 lines or so of code that caused a wide lot of panic within the um, Sims 4 community. Um, I showed my I showed this file to my friend who does uh red teaming engagements. Um, and he writes malware sometimes legally. Um, because I've never really written uh Windows malware. I've only written like Mac OS malware as a joke. Um, and it's it's never been deployed anywhere. So, don't worry, I'm not doing anything illegal. Um, I say this. Um, so as you can see here, we create a temporary um, we create a bath file that brings back some memories of glorious old YouTube videos back in the glorious year of 2009 with uh, what copyright free

music. Um, and you know, you make it echo like I'm a scary virus. It's given given those vibes. Um, it opens the bile. um downloads um something really cool uh an info stealer from Discord of all places, you know, um writes it and then executes it with a subprocess um hides the window and then yeah, and the rest of it rest of our code is from the mod itself. So, they got really lazy and kind of stuck on top of the the mod. Um, I don't want to be too harsh to him or them, but it kind of looks like BB's first malware. Um, like you're not really supposed to leave any face of your malware. Um, I think

that's malware 101. Um, but that makes it really really easy to detect um by like any competent EDR or antivirus. And you know, one of the first things that this malware does is create a batch file of all things to download the red uh red line stealer info stealer. And you know, I I was asking my friend like, hey, you know, if you were to write this, what would you do? And you know, if the mal original malware uh guys uh was this, you know, here's some top tips. Um get good. [clears throat] Um, so if you're going to write write your mod as well where you might come want to take a bit more of a stealthier

approach rather than just barging in creating script files or something like that or bath files sorry um but you know create a trust DL that's loaded by trustexe like sim 4 that you be a bit more stealthier um that approach is what the attacker ran for as I said really easy for any competent antivirus to detect um the info stealer that I mentioned was most likely red line um as you can see here's There's a parrot info stealer stealing some credit cards. God love him. Um basically he this guy can be strong his own info and just bought one off the dark web fair play him. um mostly um stole safe credit cards from browsers

uh and passwords uh steam info as well you know in case you know you you got bored and wanted to shop the same steam summer sale um and crypto wallets as well because we can't talk malware these days about stealing some crypto am I right um [laughter] at least he tried I guess um you know this attack could have been a lot a lot worse if it was a bit more sophisticated if like you know they had uploaded a wee bit or you know I'm not saying nation state or a going to steal stuff using Sims 4 mods. I don't think North Korea is like putting up Sims 4 and be like oh yeah I'm about to steal some grids uh

some crypto here lads. Um, but you know, it's it's very amateur. Um, you know, bit of a script kitty. Um, and in the end, he basically gave up and put .exe files in downloads and hoping people click on it. So, we kind of gave up there. So, you know, fair play him, I guess. Um, but you know, even through this malware is awful and stuff, it did cause a lot of panic within the Sims 4 community. Um, I I found a post here on the subreddit. Um, basically, you know, was as I said before, you know, not very technically compliment like they're saying, I don't know much about computers here. Um, but like people were

panicking like like is it safe to download any mods anymore? Is it safe to like, you know, even cosmetics mods who would like would not have this? They were panicking and it's like, you know, it's it's not it's not great. Um and like even they were even panicking for games that weren't even attacked at all like for Sims 2 and free. And people also worried that these fan sites and modms were now unsafe to download from at all. Uh to these fite credit they implement counter measures such as vetting new uploaders and inactive uploaders and several fan sites including source have stopped uploaded scripts in the wake of these incidents temporarily to stop these attackers um

from uploading more of infected CS46 files. But there's a bright light here. In the midst of all this worry, the community rallied together and provided support for each other. Uh something the famous again the famously prayer friendly not money grubbing EA did not do. Um as I mentioned, EA does not get involved in the Ming community unless we they do something very illegal and this is no exception. Um the community as you can see here create posts like this on Reddit and other sites. They aimed to inform fellow members of affected downloads and any updates of the situation. You know, this helped to calm down the panic a wee bit and helped uh answer people answers answer any

questions that people had. Um one of the very first respon and like there's also like uh co-responses as well like antiviruses and removers. um one of the first responses to these malware incidents occurred on February 2024 again after the first attacks where the owners of Curse Forge Overwolf create a rover of the malware written in C++. I would probably liken this to uh medicine rather than prevention. Um I've actually included a picture of some of the code. Um I I've never done C++ C++ before. Um I called I got told not to do it. So um yeah uh but certainly some C++ code. Am I right? um attempts to find the malware files and notifies users of

does as well as moving this mic's file. Um the second response um attempted to remove the malware uh was create again in Trevory 2024 by Mexi. You might remember them from the November 2024 incident. Maybe the malware quote unquote dev um wanted to get a we bit of a payback against them. So, as you can see here, um I had it was like in a um it was in sorry, it was in uh pi pi pi C uh Python format. So, I had to use like uh pilingual to um decode it. So, I do apologize if it looks a bit messy. Um I I blame Pyingual, not me. Um so, as you can see here, we have a list of uh

prohibit sorry, prohibited um items. Um and it if it texts like certain files that are these are like actually obuscated um using I think it's like a ask asy shift thing. Uh it basically checks for these strings here. Um it unfortunately does not check for obvious strings. So if the attacker you know got we bit get good I guess. Um, obviously the strings. I probably wouldn't detect this, but it's still it's very very impressive. Um, it checks for stuff like bat and discord.com app chessions and they look so familiar. Those are the strings that we've seen before in the malware. And if those strings are detected, it alerts the user the infected mods uh and also

preventing file path for quick removal by the user. It also reports back to the model website for further recording. And they also like they purposely did this perfectly obiscated it and purposely put in PWC files. um in order to prevent the attacker from trying to avoid or get past it. But you know, it's only a very very simple uh asky shift only shifting by one. I think the attacker with their skills quote I mean even I could do better and I'm horrible at coding. um would probably get put off by this amount of obuscation, but I think a more advanced attacker probably get around this a we bit easier, but still very very impressive that like they managed

to create their own antivirus and it runs within the game as well, which is pretty cool. Um so to summarize what I talk about the community came together to protect themselves um against this new way of malware and did what EA couldn't do essentially given these attackers or attackers in time gave up their attempts to spend malware through CS4 script files and just dumped an EXE file in zips to get people to click them. I did I think they did a pretty good job. And on that note um oh yes and I forgot to show this. I'm so sorry. Um, this is basically like the left length and breadth of EA responding to mods. Uh, as you can see, it's not very much.

Um, so I want to end this off. We thank you. Um, special thanks to Matt, Raone, Dean, Ryan from Everquote Sackenge team and Tim, David, and Daniel also from Everco for your help and putting up with me. Um, besides Belfast crew for setting this talk. Um, you know, thanks for letting the bucket let me speak. uh Grant for teaching me Windows malware. Uh check out his talk after this one. It's probably a lot better than this one. And yourselves, thank you so much for coming and any questions.

>> Brilliant. Thank you so much, Rebecca. Okay. So, we are um here for Grant Colan's talk, One Click Purple, Teaming, and Other Lies We