Fake Steam Desktop Authenticator steals account details

In this blog post, we'll have a quick look at fake versions of Steam Desktop Authenticator (SDA), which is a "desktop implementation of Steam's mobile authenticator app".

Lava from SteamRep brought me to the attention of a fake version of SDA floating around, which may be attempting to steal your Steam credentials.

Indeed, there are some fake versions - we'll discuss two of them briefly.


Fake version #1

The first fake version can be found on steamdesktopauthenticator[.]com. Note that the site is live, and appears at the top of Google Search when searching for "Steam Desktop Authenticator".

Figure 1 - Fake SDA website

When downloading the ZIP file from the website, and unzipping it, we notice the exact same structure as you would when fetching the legitimate package - with one difference: the main executable has been modified.

File details:
Name: Steam Desktop Authenticator.exe
MD5 hash: 872abdc5cf5063098c87d30a8fcd8414
File size: 1,4446 KB
Version: v1.0.9.1

Note that the current and real SDA version is 1.0.8.1, and its original file size is 1,444 KB - 2 bytes of difference can mean a lot. Figures 2 and 3 below show the differences.

Figure 2 - Sending credentials to steamdesktopauthenticator[.]com

Figure 3 - Sending credentials to steamdesktop[.]com

Indeed, it appears it also attempts to upload to another website - while digging a bit further, we can also observe an email address associated with the domains: mark.korolev.1990@bk[.]ru

While I was unable to immediately find a malicious fork with any of these domains, Mark has likely forked the original repository, made the changes - then deleted the fork. Another possibility is that the source was downloaded, and simply modified. However, it is more than likely the former option.



Fake version #2

This fake version was discovered while attempting to locate Mark's fork from the fake version above - here, we have indeed a malicious fork from GitHub, where trades/market actions appear to be intercepted, as shown in Figure 4 below.

Figure 4 - Malicious SDA fork (click to enhance)

Currently, when trying to access the malicious site lightalex[.]ru with a bogus token, a simple "OK" is returned - it is currently unknown whether market modifications would be successful.

Interestingly enough, when digging deeper on this particular domain, which is currently hosted on 91.227.16[.]31, it had hosted other SteamStealer malware before, for example cs-strike[.]ru and csgo-knives[.]net.

The malicious fork has been reported to GitHub.



Disinfection

Neither fake SDA versions reported here appear to implement any persistence, in other words; remove the fake version by deleting it, and perform a scan with your current antivirus and a scan with another, online antivirus, or with Malwarebytes for example.

Additionally, de-authorize all other devices by clicking here and select "Deauthorize all other devices".

Now, change your password for Steam, and enable Steam Guard if you have not yet done so.



Prevention

Prevention advise is the usual, extended advise is provided in a previous blog post here.

You may also want to take a look at SteamRep's Safe Trading Practices here.

Always download any software from the original source - this means the vendor's website, or in this case, the official SDA repository on GitHub:
https://github.com/Jessecar96/SteamDesktopAuthenticator



Conclusion

SteamStealer malware is alive and well, as seen from my January blog post. This is again another form of attempting to scam users, and variations will continue to emerge.

Follow the prevention tips above or here to stay safe.


Indicators

Quickpost: SteamStealers via Github

Back in 2014, I created a blog post named 'Malware spreading via Steam chat', where I analysed and discussed one of the first 'SteamStealers' - malware that is exclusively targeting gamers, or at least those who use Steam.

You can read that blog post here. Another SteamStealer technique was via a Chrome extension, and there are many others reported as well - if you fancy a read, check out a blog post and paper I co-authored with Santiago here.

This blog is meant as a quick post and heads-up, as some cybercriminals who use SteamStealer, are now also resorting to using Github. I was notified of this by Malwarehunterteam on Twitter:

Also, anyone seen before a malware which replaces Steam trade links?
cc @bartblaze @spontiroli pic.twitter.com/XFcVQKy4On

— MalwareHunterTeam (@malwrhunterteam) January 12, 2018

In this example, Evrial uses Github to copy/steal clipboard contents, and replaces Steam trade offer links. Note that Evrial is a full-blown infostealer.


Another recent example, given to me by advicebanana, is a SteamStealer for the sole purpose of stealing your Steam credentials. In this specific case, the malware was redirected from:
http://screenpicture[.]pro/image293[.]jpg to the following page or Gist, hosted on Github:
https://raw.githubusercontent[.]com/Hamlo22888/Sur/master/image293[.]scr

While the gist is already offline at time of posting, it's possible some Steam users may have been tricked into downloaded and executing the file.

Interesting to note that the debug path in this specific sample is:

D:\asd\php\steam_complex\New_steal\new_steal_no_proxy\14ver -original(pubg+??????????)\SteamStealer\obj\Release\vv.pdb

While in my original blog post, from 2014, it was as follows:

d:\asd\????????_new\??#\add\SteamComplex\SteamStealer\?????????? ?????????? (18)\SteamStealer\obj\Release\vv.pdb

It appears the original SteamStealer developer is still going strong.

For preventing getting scammed or ending up with a SteamStealer on your machine, follow the prevention tips in this blog post.



Conclusion

SteamStealers are (again) alive and well. While there was a drop observed at some point, due to the enormous amount of scamming websites, it appears the SteamStealer malware is back in business.

Github is also getting more popular among cybercriminals - often whitelisted in organisations, it offers yet again another method of hosting malware.

As mentioned before, follow the prevention tips in my earlier blog post to stay safe.


Indicators

All your creds are belong to us

In the past, I've blogged about Steam Stealers (malware that specifically targets gamers and users of Valve's platform) before (see 1, 2), but this blog post will be a bit different.

Working together with Santiago Pontiroli, Security Researcher at Kaspersky Lab Global Research and Analysis Team, we've written a paper on these infamous Steam Stealers.

Check out our blog post here or directly download the PDF from here.

Enjoy!