Wednesday, January 24, 2018

Quickpost: SteamStealers via Github


Back in 2014, I created a blog post named 'Malware spreading via Steam chat', where I analysed and discussed one of the first 'SteamStealers' - malware that is exclusively targeting gamers, or at least those who use Steam.

You can read that blog post here. Another SteamStealer technique was via a Chrome extension, and there are many others reported as well - if you fancy a read, check out a blog post and paper I co-authored with Santiago here.

This blog is meant as a quick post and heads-up, as some cybercriminals who use SteamStealer, are now also resorting to using Github. I was notified of this by Malwarehunterteam on Twitter:




In this example, Evrial uses Github to copy/steal clipboard contents, and replaces Steam trade offer links. Note that Evrial is a full-blown infostealer.


Another recent example, given to me by advicebanana, is a SteamStealer for the sole purpose of stealing your Steam credentials. In this specific case, the malware was redirected from:
http://screenpicture[.]pro/image293[.]jpg to the following page or Gist, hosted on Github:
https://raw.githubusercontent[.]com/Hamlo22888/Sur/master/image293[.]scr

While the gist is already offline at time of posting, it's possible some Steam users may have been tricked into downloaded and executing the file.

Interesting to note that the debug path in this specific sample is:
D:\asd\php\steam_complex\New_steal\new_steal_no_proxy\14ver -original(pubg+??????????)\SteamStealer\obj\Release\vv.pdb
While in my original blog post, from 2014, it was as follows:

d:\asd\????????_new\??#\add\SteamComplex\SteamStealer\?????????? ?????????? (18)\SteamStealer\obj\Release\vv.pdb

It appears the original SteamStealer developer is still going strong.

For preventing getting scammed or ending up with a SteamStealer on your machine, follow the prevention tips in this blog post.



Conclusion

SteamStealers are (again) alive and well. While there was a drop observed at some point, due to the enormous amount of scamming websites, it appears the SteamStealer malware is back in business.

Github is also getting more popular among cybercriminals - often whitelisted in organisations, it offers yet again another method of hosting malware.

As mentioned before, follow the prevention tips in my earlier blog post to stay safe.


Indicators