Fake Steam Desktop Authenticator steals account details

In this blog post, we'll have a quick look at fake versions of Steam Desktop Authenticator (SDA), which is a "desktop implementation of Steam's mobile authenticator app".

Lava from SteamRep brought me to the attention of a fake version of SDA floating around, which may be attempting to steal your Steam credentials.

Indeed, there are some fake versions - we'll discuss two of them briefly.


Fake version #1

The first fake version can be found on steamdesktopauthenticator[.]com. Note that the site is live, and appears at the top of Google Search when searching for "Steam Desktop Authenticator".

Figure 1 - Fake SDA website

When downloading the ZIP file from the website, and unzipping it, we notice the exact same structure as you would when fetching the legitimate package - with one difference: the main executable has been modified.

File details:
Name: Steam Desktop Authenticator.exe
MD5 hash: 872abdc5cf5063098c87d30a8fcd8414
File size: 1,4446 KB
Version: v1.0.9.1

Note that the current and real SDA version is 1.0.8.1, and its original file size is 1,444 KB - 2 bytes of difference can mean a lot. Figures 2 and 3 below show the differences.

Figure 2 - Sending credentials to steamdesktopauthenticator[.]com

Figure 3 - Sending credentials to steamdesktop[.]com

Indeed, it appears it also attempts to upload to another website - while digging a bit further, we can also observe an email address associated with the domains: mark.korolev.1990@bk[.]ru

While I was unable to immediately find a malicious fork with any of these domains, Mark has likely forked the original repository, made the changes - then deleted the fork. Another possibility is that the source was downloaded, and simply modified. However, it is more than likely the former option.



Fake version #2

This fake version was discovered while attempting to locate Mark's fork from the fake version above - here, we have indeed a malicious fork from GitHub, where trades/market actions appear to be intercepted, as shown in Figure 4 below.

Figure 4 - Malicious SDA fork (click to enhance)

Currently, when trying to access the malicious site lightalex[.]ru with a bogus token, a simple "OK" is returned - it is currently unknown whether market modifications would be successful.

Interestingly enough, when digging deeper on this particular domain, which is currently hosted on 91.227.16[.]31, it had hosted other SteamStealer malware before, for example cs-strike[.]ru and csgo-knives[.]net.

The malicious fork has been reported to GitHub.



Disinfection

Neither fake SDA versions reported here appear to implement any persistence, in other words; remove the fake version by deleting it, and perform a scan with your current antivirus and a scan with another, online antivirus, or with Malwarebytes for example.

Additionally, de-authorize all other devices by clicking here and select "Deauthorize all other devices".

Now, change your password for Steam, and enable Steam Guard if you have not yet done so.



Prevention

Prevention advise is the usual, extended advise is provided in a previous blog post here.

You may also want to take a look at SteamRep's Safe Trading Practices here.

Always download any software from the original source - this means the vendor's website, or in this case, the official SDA repository on GitHub:
https://github.com/Jessecar96/SteamDesktopAuthenticator



Conclusion

SteamStealer malware is alive and well, as seen from my January blog post. This is again another form of attempting to scam users, and variations will continue to emerge.

Follow the prevention tips above or here to stay safe.


Indicators

Quickpost: SteamStealers via Github

Back in 2014, I created a blog post named 'Malware spreading via Steam chat', where I analysed and discussed one of the first 'SteamStealers' - malware that is exclusively targeting gamers, or at least those who use Steam.

You can read that blog post here. Another SteamStealer technique was via a Chrome extension, and there are many others reported as well - if you fancy a read, check out a blog post and paper I co-authored with Santiago here.

This blog is meant as a quick post and heads-up, as some cybercriminals who use SteamStealer, are now also resorting to using Github. I was notified of this by Malwarehunterteam on Twitter:

Also, anyone seen before a malware which replaces Steam trade links?
cc @bartblaze @spontiroli pic.twitter.com/XFcVQKy4On

— MalwareHunterTeam (@malwrhunterteam) January 12, 2018

In this example, Evrial uses Github to copy/steal clipboard contents, and replaces Steam trade offer links. Note that Evrial is a full-blown infostealer.


Another recent example, given to me by advicebanana, is a SteamStealer for the sole purpose of stealing your Steam credentials. In this specific case, the malware was redirected from:
http://screenpicture[.]pro/image293[.]jpg to the following page or Gist, hosted on Github:
https://raw.githubusercontent[.]com/Hamlo22888/Sur/master/image293[.]scr

While the gist is already offline at time of posting, it's possible some Steam users may have been tricked into downloaded and executing the file.

Interesting to note that the debug path in this specific sample is:

D:\asd\php\steam_complex\New_steal\new_steal_no_proxy\14ver -original(pubg+??????????)\SteamStealer\obj\Release\vv.pdb

While in my original blog post, from 2014, it was as follows:

d:\asd\????????_new\??#\add\SteamComplex\SteamStealer\?????????? ?????????? (18)\SteamStealer\obj\Release\vv.pdb

It appears the original SteamStealer developer is still going strong.

For preventing getting scammed or ending up with a SteamStealer on your machine, follow the prevention tips in this blog post.



Conclusion

SteamStealers are (again) alive and well. While there was a drop observed at some point, due to the enormous amount of scamming websites, it appears the SteamStealer malware is back in business.

Github is also getting more popular among cybercriminals - often whitelisted in organisations, it offers yet again another method of hosting malware.

As mentioned before, follow the prevention tips in my earlier blog post to stay safe.


Indicators

SteamStealer IP visualisations

Just for fun I decided to visualise all SteamStealer IPs I've encountered (till now). They are hosting multiple fake screenshot websites, fake voice communication software, fake streaming websites, fake Steam websites and others. They may also be a C&C for the malware, or fake gambling/lottery websites.

Any additional information can also be found on my blog:
Malware spreading via Steam chat

Additionally, be sure to read the paper I wrote with Santiago from Kaspersky about SteamStealers here: The evolution of malware targeting Steam accounts and inventory


Now for the fun part:




View SteamStealer IPs in a full screen map



Alternatively, check out the following map and stats:

a

Country	Count
Russian Federation	163
United Kingdom	19
Netherlands	18
United States	14
Germany	9
Ukraine	6
France	6
Poland	4
Romania	1
Italy	1
Czech Republic	1
Canada	1
Australia	1
Belarus	1
Belize	1
Kazakhstan	1
Virgin Islands, British	1
Spain	1
Moldova, Republic of	1

As you can see, most of them are hosted in Russia; while the United Kingdom and The Netherlands rank second and third respectively.

Note: CloudFlare is gaining popularity in 'hiding' the real server IP address. CloudFlare IPs are not included.

That's about it, hope you enjoyed! Please find below tools used to create the mapping.


Resources

Geomapping:
Batchgeo
GIPC

Data:
SteamStealer IPs IOCs

All your creds are belong to us

In the past, I've blogged about Steam Stealers (malware that specifically targets gamers and users of Valve's platform) before (see 1, 2), but this blog post will be a bit different.

Working together with Santiago Pontiroli, Security Researcher at Kaspersky Lab Global Research and Analysis Team, we've written a paper on these infamous Steam Stealers.

Check out our blog post here or directly download the PDF from here.

Enjoy!

Chrome extension empties your Steam inventory

I recently got notified about the following topic (and post) on TeamFortress.tv:
Known scammer alt opening a gambling site

In there, you can see a Steam user named Delta (Steam profile down below) has created several 'helpful' Chrome extensions for Counter-Strike: Global Offensive (CS:GO).

A few examples:

'Read and change all your data on the websites you visit'

Other examples are:

CSGODouble Theme Changer
CS:GO Double Withdraw Helper
Csgodouble AutoGambling Bot
Improved CSGODouble

Instead of being able to change your CS:GO Double theme, your items from your inventory are getting stolen; instead of trading with X or Y person you trust, the items go to the scammer rather than whoever you're trading with:

All the addons he made can be found here. You can report them to Google as well by clicking 'Report Abuse' > 'Malware'. Note: some of them are still in the store despite several reports.

Update (20/01): all mentioned extensions are now removed from the Chrome Web Store.



76561198254328724 is the Steam ID of the scammer, who currently has a/is on trade probation; which means they recently had a trade ban removed.

Update (20/01): 'Delta' is now trade banned (again):

You can find his Steam profile here and his SteamRep profile here. (SteamRep is "a non-profit site that partners with community administrators to improve the safety of game-related trading.")





Disinfection

As opposed to actual SteamStealers, this one's pretty easy to disinfect or remove, as you can simply remove the extension(s) from Chrome:

In this example:

You may read more about installing, managing and removing extensions here. If you're having problems removing one of the extensions, you can also try resetting your Chrome browser.



Prevention


Does it look suspicious? Does it sound too good to be true? Don't install it!

For more prevention tips on securing your Steam account, see my earlier post about SteamStealers here.

Steam also has a FAQ set up in regards to: Spyware, Malware, Adware, or Virus Interfering with Steam



Conclusion

SteamStealers are (unfortunately) nothing new. Criminals are getting craftier and better in attempting to steal items or account credentials (along with other credentials) from unsuspecting users.

As opposed to actual malware or SteamStealers being loaded on your machine, this time it's a browser extension - thus be wary of anything that looks too good to be true and think twice
before you install anything (whether that be an extension, a 'screensaver' or images that look like you ;) ).

Follow the prevention tips above to stay safe. For any questions or feedback, don't hesitate to comment.

Malware spreading via Steam chat

If you're only interested in how to remove this malware from your machine or other tips and prevention advise, click here. In case you have questions, issues or doubts, feel free to leave a comment and I'll be happy to help or answer any questions you may have. (you may have to click 'Load more...' or 'Loading...' to view all comments)


Today I was brought to the attention of a Tumblr post - apparently there's malware doing the rounds making use of Steam chat, (adding Steam friends and) spamming Steam users.

Example message:

"karpathos" sending a bit.ly link (Image source)

Onyx is right, the link's indeed phishy and uses bit.ly (a URL shortener) to trick users into clicking it. Remember the worm that spread via Skype and Messenger last year? (reference here and here) This is a similar campaign.



Setup

Someone adds you on Steam, you accept and immediately a chat pops up as similar to above.

Alternatively someone from your friends list already got infected and is now sending the same message to all his/her friends.

The bit.ly link actually refers to a page on Google Drive, which immediately downloads a file called IMG_211102014_17274511.scr, which is in fact a Screensaver file - an executable.
The file is shared by someone named "qwrth gqhe". Looks legit.

Note that normally, the Google Drive Viewer application will be shown and this will allow you to download the .scr file. In this case, the string "&confirm=no_antivirus" is added to the link, which means the file will pop-up immediately asking what to do: Run or Save.
(and in some cases download automatically)

At time of writing, the file is actually still being hosted by Google Drive. I have reported it however.

Afterwards, you're presented with the screensaver file which has the following icon:

Image of IMG_211102014_17274511.scr file

Opening the file will result in installing malware on your system, which will steal your Steam credentials.



Technical details

IMG_211102014_17274511.scr

Original Filename: wrrrrrrrrrrrr.exe

Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
SHA1: 7d0575a883fed7a460b49821c7d81897ae515d43
VirusTotal: link

Connects to:
185.36.100.181

Server in Czech Republic. VirusTotal reference

Downloads and executes:
temp.exe

Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly

SHA1: cd9b3bf5c8d70e833b5c580c9b2fc1f3e5e4341e
VirusTotal: link

Interesting information in the debug path, note the "steamstealer" string.

Remediation

What if you clicked the link and executed the file? Follow these steps:

• Exit Steam immediately
• Open up Task Manager (CTRL + SHIFT + ESC) and find a process called temp.exe, wrrrrrrrrrrrr.exe, vv.exe or a process with a random name, for example 340943.exe or a process similar to the file you executed
  
• Launch a scan with your installed antivirus
• Launch a scan with another, online antivirus or install & scan with Malwarebytes
• When the malware has been disinfected or deleted, change your Steam password - if you use the same password for other sites, change those as well
• De-authorize any unknown machines, read how to do that here:
  Family Library Sharing User Guide
• Verify none of your Steam items are missing - if so, it is advised to reinstall Steam as well.
  Note: move the Steamapps folder (default on C:\Program Files\Steam\Steamapps) outside of the Steam directory to prevent your games from being deleted
• Contact Steam/Valve in order to get your items back:
  Send a ticket to Steam support
  

Prevention

• Be wary when someone new or with Level 0 adds you on Steam and immediately starts sending links
• In fact, don't click on links someone unknown sends to you
• If you receive a link which is a URL shortener (bit.ly or goo.gl for example), you can use GetLinkInfo to see the real URL
• If you did click the link, don't open or execute anything else - just close the webpage (if any) or cancel the download
• By default, file extensions are not shown. Enable 'Show file extensions' to see the real file type. Read how to do that here
• Install WOT - WOT is a community-based tool and is therefore very useful for those fake screenshot websites, whereas other users can warn you about the validity.
• Follow the tips by Steam itself to further protect your account:
  Account Security Recommendations
• If you trade a lot or want to check if a Steam account has a bad reputation, you can use SteamRep:
  https://steamrep.com/
• SteamRep has also set up a Safe Trading Practices guide.
• Consider setting up the Steam Guard Mobile Authenticator (2FA).
• There's a useful guide in preventing scams on this Reddit link as well.
• For sysadmins/network administrators, I have created an IOC on AlienVault OTX with all known (to me at least) SteamStealer IPs.

Conclusion 

Never click on unknown links, especially when a URL shortener service like bit.ly is used. (others are for example t.co, goog.gl, tinyurl, etc.)

Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.

Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and it's (in this case) a screensaver file.

For checking what is really behind a short URL, you can use:

http://getlinkinfo.com/

For checking whether a file is malicious or not:

https://www.virustotal.com/

Other useful links are Steam's Trading Policy and Steam's Scam FAQ.

Follow the prevention tips above to stay safe and protect yourself from the SteamStealer malware.