During the last few months, McAfee Labs has seen an increase in Steamstealer samples. The following chart shows the recent trend:
Steamstealer is a Trojan that remotely steals a victim’s sensitive information. This malware needs Microsoft .Net framework to be installed on the victim’s machine and spreads via spam messages that come through the Steam community–where users play and download the games, software, etc. Users of this community need to create an account to get access to these services. Whenever a user tries to log in to a steam account, the system sends a one-time password to the registered ID to log in to the account. The following snapshot shows an example:
The malware is propagated via Steam chat. Once a user logs into the account, the attacker sends unsuspected victims malicious links. Sometimes the attacker uses the Steam marketplace to offer “deals” at very low prices to lure victims into installing an innocuous screensaver or games that are actually a threat. The malicious executable may have one of the following names:
Steamstealer usually copies itself into the administrator’s application data folder:
- C:\Documents and Settings\Administrator\Application Data\steamwebhelper2\steamwebhelper.exe
This malware is highly obfuscated with Confuser, an open-source app. Confuser is a popular free product that obfuscates files to make them difficult to reverse engineer. If we load the obfuscated file in IDA, we see the following error:
Steamstealer uses several icons:
Some of the Steamstealer’s main functions are shown below:
- Steamworker is the name of the class with the object that collects the information of the victim’s machine, including cookies, friends, etc.
- addOffer is the function the attacker uses to ask the victim to add in the list, which can be used later:
addOffer(“765611981401****2”, ”179905**4”, ”3dnc**Nb”)
The first parameter, “765611981401****2,” is the profile ID of the user “steamcommunity.com/765611981401****2.” The second parameter, “179905**4,” is used as the trade offer ID “steamcommunity.com/179905**4.” The third parameter is the Token ID such as “steamcommunity.com/179905**4&token=3dnc**Nb.”
- ParseSteamCookies allows the attacker to steal the session cookies of the Steam user.
- addItemstoSteal defines the items and information to steal from the victim’s machine.
- SendItems sends the stolen information from the victim’s account to the attacker’s account.
- sendMessageToFriends sends the message to the stolen ID.
Stealing the data
The malware first compresses the stolen data into the zip format:
It next grabs the victim’s machine name, username, and IP address, by sending a web request to icanhazip.com (the data can be used for future spamming). The malware sends this data to the attacker’s email ID:
The attacker sends links that appear harmless to the victim but actually downloads the malware. The attacker sends a Google document that looks legitimate but contains an executable.
The attacker also collects information about user login data from various browser files:
- OldOperaPathX64=”%Appdata%\\Opera\\Opera x64\\wand.dat”;
- ChromePath=”%LocalAppdata%\\Google\\Chrome\\User Data\\Default\\Login Data”
- YandexPath=”%LocalAppData%\\Yandex\\Yandex Browser\\User Data\\Defaul\\LoginData”
A snapshot of the attacker’s credentials:
Stolen data from the victim’s machine:
McAfee products detect this threat as PWS-FCAA! and PWS-FBYZ!
I would like to thank my colleague Rakesh Sharma for his help with this analysis.