Monday, December 1, 2014

Steam Phish and Broken Malware

When I have free time, I like to try and add to this blog. I also like to play some online games. Lucky for me, I get to do both. Most of my games are on Steam, and to be honest it makes my life easier when I want to play with friends. It would appear that Steam makes malware distribution easier as well! Take for instance this phishing message I received through the Steam chat system:


To the average young player this looks fairly legit. A few things caught my eye, and I'll admit, the first of them was how they insisted I could use any browser. Who would care? Then I noticed the malformed domain: steamcommunlirty.com ... nice. The page actually had a well done Steam user profile:


When you tried to click Add Friend, it brought you to a login page which is pretty normal, especially for me. Most users are only logged into the Steam application and not the actual website.


So they are obviously harvesting usernames and passwords. Which should be enough for offloading expensive in game items like gun-skins for Counter Strike ... BUT WAIT! There's more!


This is a somewhat familiar message box, where Steam will actually require a code sent to your e-mail address on file in order to continue the login. However, it has been changed from requiring a code, to downloading SteamGuard.exe. How thoughtful.

Before we jump into the malware, lets take a look at the registrar information on this domain:

Domain name: steamcommunlirty.com
Domain idn name: steamcommunlirty.com
Status: clientTransferProhibited
Registry Domain ID:
Registrar WHOIS Server: whois.reg.ru
Registrar URL: https://www.reg.com/
Registrar URL: https://www.reg.ru/
Registrar URL: https://www.reg.ua/
Updated Date: 2014-11-29
Creation Date: 2014-11-29T12:24:10Z
Registrar Registration Expiration Date: 2015-11-29
Registrar: Domain names registrar REG.RU LLC
Registrar IANA ID: 1606
Registrar Abuse Contact Email: 
Registrar Abuse Contact Phone: +7.4955801111
Registry Registrant ID:
Registrant Name: Ivan Ivanov
Registrant Organization: Private Person
Registrant Street: Koshil 23
Registrant City: Horts
Registrant State/Province: Tehas
Registrant Postal Code: 123170
Registrant Country: RU
Registrant Phone: +38021312312
Registrant Phone Ext:
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: jimmy_young@mail.ru
Registry Admin ID:
Admin Name: Ivan Ivanov
Admin Organization: Private Person
Admin Street: Koshil 23
Admin City: Horts
Admin State/Province: Tehas
Admin Postal Code: 123170
Admin Country: RU
Admin Phone: +38021312312
Admin Phone Ext:
Admin Fax: 
Admin Fax Ext:
Admin Email: jimmy_young@mail.ru
Registry Tech ID:
Tech Name: Ivan Ivanov
Tech Organization: Private Person
Tech Street: Koshil 23
Tech City: Horts
Tech State/Province: Tehas
Tech Postal Code: 123170
Tech Country: RU
Tech Phone: +38021312312
Tech Phone Ext:
Tech Fax: 
Tech Fax Ext:
Tech Email: jimmy_young@mail.ru
Name Server: ns1.sellexpo.net 
Name Server: ns2.sellexpo.net 
DNSSEC: Unsigned

According to DomainTools.com, this domain is registered to Mr. Ivan Ivanov in Russia. Ivan Ivanov is the US equivlent of John Smith, so I'll venture a guess that this is a fake name. Also according to whoismind.com, our friend Ivanov has a few other domains:
1.  csgo-lounqe.com
2.  lsteamcommunity.com
3.  steamcommunlirty.com << Here's ours!
4.  steamcommunrilty.com
5.  steamcommunrlity.com
6.  steamcommunuilty.com
7.  steamcommunulty.com
8.  steamcommununilty.com
9.  steamcommunylty.com
10.  steamcommurnlity.com
11.  steamcommynility.com
12.  steamcommynilty.com
13.  steamcomrniunity.com
14.  steamcomynility.com
15.  steamcomynlity.com
16.  steamcornmiunity.com
17.  steammcommunility.com
18.  steamommunlity.com
19.  steamscommunility.com
20.  steamscommunilty.com
21.  steamscommunlity.com

These all appear recently registered within the last month (November). This should be a pretty active campaign.

Okay, back to the malware!
File:     SteamGuard.exe
Size:     285184
MD5:      3D6FDC70E43D258FA30AC4687F4306CA
Compiled: Sun, Nov 30 2014, 13:47:44  - 32 Bit .NET EXE
Version:  1.0.0.0

Wow! Look at that compile time! That's some fresh malware.

Too bad it's busted and doesn't execute and I am out of time for messing with this. I tried to de-compile it as well and it is all in Chinese and I really don't have time for this. =(


At least they were festive when naming the resource in English.

If you want a copy, you can download it from the attackers link (defanged):
h00ps://doc-14-9k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/qptklkqnpglih278lheo7v6gjqlqjnf6/1417500000000/12170790477719556769/*/0B4fsHdBQBTPWRlplaE5HWEJYWDA?e=download 

UPDATE #1

Well, that didn't take long. Rainstorm is back with another friend that needs to talk to me:

Looks like the same old same old with this cat, but wait. THERE'S MORE!!!!!! Another new domain that we didn't have in our original list ... let's check it out:

This time, they go by Maks Georgevich, with the email kreponenkorich@mail.ru. Feeding this back into whoismind shows that they only have one domain registered (steamcommiuinty.com). 

I know what your thinking -- maybe they fixed the malware? Let's check.

The website looks similar, but a new profile:

And the same shenanigans -- add a friend, log in, steal credentials and download our malware. Let's skip to the malware.

File:     SteamGuard.exe
Size:     285184
MD5:      3D6FDC70E43D258FA30AC4687F4306CA
Compiled: Sun, Nov 30 2014, 13:47:44  - 32 Bit .NET EXE
Version:  1.0.0.0

BOOOOOO! It's the same busted ass malware. Since they are harvesting credentials, if I get bored over the weekend I'll write a script to give them credentials ... =)


2 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Had this the other day, only it was a wierd link that has nothing to do with Steam at all. However, it sent me a download link to an image and tried to download a virus but LUCKILY my antivirus immediately stopped the download and deleted it. Lets just say it was a different story for my other friend whos antivirus didnt stop it....

    ReplyDelete