Saturday, December 6, 2014

Moar Steamed Phish

I got another Steam phishing message from our same friend. See my last blog post HERE for more details.

Anyhow, the first thing I noticed is account changed their name from Rainstone to [unassigned] and the message is a bit different this time:

Same well done Steam profiles as before:


And the same vector to steal credentials via the Add Friend which requires you to "Sign In":


Before we jump to the malware -- let's check out this domain (steamcommununilty.com) real quick. If you remember from the last blog, this domain was in the list of domains registered with the jimmy_young@mail.ru e-mail address. I checked to see if he has added any more domains, but there is still the list of 21 domains from the last time we checked:
1.  csgo-lounqe.com
2.  lsteamcommunity.com
3.  steamcommunlirty.com <-- This was used in the last blog post
4.  steamcommunrilty.com
5.  steamcommunrlity.com
6.  steamcommunuilty.com
7.  steamcommunulty.com
8.  steamcommununilty.com <-- This is the new one
9.  steamcommunylty.com
10.  steamcommurnlity.com
11.  steamcommynility.com
12.  steamcommynilty.com
13.  steamcomrniunity.com
14.  steamcomynility.com
15.  steamcomynlity.com
16.  steamcornmiunity.com
17.  steammcommunility.com
18.  steamommunlity.com
19.  steamscommunility.com
20.  steamscommunilty.com
21.  steamscommunlity.com

'Ol Ivan is keeping plenty busy! Now let's get back to the malware which is the reason for this new post.

The first thing I noticed was they used a new icon in the download prompt:

So they went from the really good looking logo to one that looks more like ass. Oh well.

Here are the file details:
File:     SteamGuard.exe
Size:     229376
MD5:      D18C0C6E73DB25C8D29EF7DF0EE71AB1
Compiled: Sat, Dec 6 2014, 10:10:22  - 32 Bit .NET EXE
Version:  4.4.9.4

PEiD: Microsoft Visual C# / Basic .NET
DNiD: SmartAssembly v6.X -> RedGate

Redgate's SmartAssembly is .NET obfuscate: http://www.red-gate.com/products/dotnet-development/smartassembly/

Lastly, lets check the compiled date:
TimeDateStamp: 0x5482D60E (Sat Dec 06 05:10:22 2014)
Pretty new!

They are still hosting this malware using their Google Docs account. You can download a copy yourself at (defanged):
h00ps://doc-00-00-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ojhnvu9ri857rdn0pnab5sg5nc8goshf/1417896000000/16555159379224722330/*/0B1uigRk0KLRZc21rOUpRMFBKNms?e=download 

If time passes and it disappears and you would like a copy, please tweet at me @JC_SoCal and I will get you a copy.

Nothing on VirusTotal for that hash as I write this (I'll upload it once I'm done).

Using Marc Ochsenmeier's tool PEStudio I check the exe file. The version info is COMPLETELY different than the previous malware they were hosting:


Since its .NET and obfuscated, I used de4dot to de-obfuscate the SmartAssembly.  Now I can read the .NET code in ilspy easily. and with that ... I am out of time. The rest of the analysis will have to continue later.

No comments:

Post a Comment