Steam, platform for videogames, target of phishing and malware

 

Abstract

During the last few months, users of the popular videogames distribution platform called Steam have been affected by several fake login websites and chat messages with links that redirect to malware downloads which, after executed, steal the file that allow attackers to access the account without having the login credentials.

 

 

Introduction

Now that the grand summer sale in Steam has begun, it is important that you know the risks to which you are exposed if you click on links sent by strangers.

Otherwise, you could fall on the frauds of malicious individuals that want to access your account to steal your rare items and sell them, acquire games with the funds in your Steam Wallet, play your videogames, modify your data, disable Steam Guard, amongst other things.

 

 

Phishing Site

After a colleague mentioned how easy it is to get into malware download links sent through Steam’s chat, we decided to investigate about it. According to this report, a chat message was sent to the author, where he was asked to add a friend on a phishing Steam website. This fake page, with a URL that was very similar to the original, redirected to what looked like a user’s profile. When the “Add Friend” button was clicked, the user redirected to a form, very similar to the real one, with login fields. This could be tested with a different Steam phishing site that, at the time of this analysis, was active.

 

 

 

Once the user’s credentials are introduced, a window shows up asking for the code sent by the Steam application to the user’s email.

 

As in other websites, such as Facebook, if the user logs in using an unknown network or device, the platform will show a message indicating the activity is unusual and might even ask the user to verify his identity before accessing. Steam implements a similar mechanism, where the user is asked a numerical code that was sent through email. Without this code the user cannot log in. This characteristic is known as Steam Guard and provides additional security to the accounts of the users in such way that, even if the credentials get stolen, the attackers cannot access the account without the code.

 

Finally, to avoid suspicions a message is displayed, indicating the invitation to add the “friend” has been sent to the email and that he/she will appear on the user’s profile once he/she accepts.

 

It is also possible that, after entering a user and a password, the window asks the user to upload the ssfn* file. The ssfn* file contains data related to the credentials of the account, so that the user is able to authenticate automatically without entering a user and a password every time the user wants to log in the application installed on the computer.

 

The report related to that case can be consulted on Malwarebytes.

In other cases, instead of asking for the security code, the window contains a button that supposedly downloads and installs SteamGuard.exe. As mentioned beforehand, Steam Guard is an additional security mechanism on the website, which means no legitimate executable exists with that name.

 

 

The Virus Total report  can be consulted here.

In some cases, multiple fake domains are registered using the same email, as seen on the image below, obtained from whoismind. This gives an idea of the interest that attackers have in this platform and of how easy is to deceive people by just changing or adding one or two letters. Por example: steamcommunmity or steamcornmunity.

 

 

Malware

For this report it was not possible to find an active download link on a fake domain; however, we obtained a sample stored in Google Docs since the end of the past year.

 

MD5: 7FDCFDAB72C64DCDC45D7EC6BDD2ABFC

SHA1: 47229D9552C0E729427096B4F83940C699AC101C

Virus Total Report

 

As can be observed, the sample’s shortcut icon is similar to the one of the original’s application. In its properties it references Valve Corporation, company that developed the Steam platform.

 

 

It also shows details of an alleged certificate signed by Valve and Symantec.

 

 

Exeinfo PE was used to determine the sample was not protected with a known packer; however, it was compiled in .NET and possibly obfuscated using SmartAssembly.

 

 

The tool de4dot also indicated that the sample was obfuscated using SmartAssembly and it even specifies that the version is 6.8.0.121.

 

According with its documentation, SmartAssembly provides several types of obfuscation, such as:

-          Name mangling: Changes the name of the classes and methods for non printable characters and even renames multiple objects with the same obfuscated string.

-          Control flow obfuscation: Changes the control flow of the program to something complex and incomprehensible (spaghetti code).

-          Resources compression and encryption: Compresses o ciphers the resources used by the code.

-          Encoding strings: Ciphers all the strings in the executable.

 

 

The tool de4dot was used to deobfuscate the sample, specifying a path so that the deobfuscated program was generated without overwriting the original.

 

 

The difference between the two can be observed on the following image. The obfuscated sample is on the left, where the classes seem to lack names even though they actually have non printable characters and with the reference to SmartAssembly. The deobfuscated executable is on the right, de4dot assigned generic names to the classes to simplify the analysis.

 

 

It also converted the “spaghetti code” into easy to understand code.

 

 

 

Static and Dynamic Analysis

In this report, the static and the dynamic analysis will be shown on the same section to better explain what the code does.

The Main() function calls method 0 of Class2.

 

·         Class2

Method 0 creates a thread to execute method 1 in the background. Variable string_0 is seen to contain an URL; its use will be explained later.

 

Method 1 opens the key SOFTWARE\Valve\Steam and stores the value of “InstallPath”. After which it calls method 3. In case something fails during execution, it calls method 2 to obtain the installation path without using registry keys.

 

 

Method 2 obtains the installation path in a different way. It searches through all the processes until it finds one called “Steam.exe”, it then replaces the string “Steam.exe” with an empty string. After which it calls method 3.

 

 

In method 3, DirectoryInfo.GetFiles returns a list of the files found in Steam’s installation directory and obtains the ones that match the pattern “ssfn*”. If the file has the “hidden” or “archive” attributes, it adds it to a list. Then it calls methods 4 and 5.

 

 

 

On method 4 all the lines of the file loginusers.vdf are read, this file is also on Steam’s installation path.

 

 

En el método 5 se crea una instancia de la clase Class0 y se le pasa como parámetro la cadena hxxp://catalogs.sellexpo.net”. is passed as a parameter. Class0.method1 gets called, passing the string “userid”as a parameter, along with the content of the file. It then calls method 2, passing the path of the ssfn file as a parameter.

 

·         Class0

Method 1 of this class creates a hash table using the string “userid” and the lines of the file loginusers.vdf.

Method 2 receives the path of the ssfn* file and creates the POST request the file will be sent to the URL “catalogs.sellexpo.net”.

 

 

Because the request contains not only the file but the user’s ID, obtained from the file loginusers.vdf, and the name of the ssfn file, the type of content is specified as “multipart/form-data”. So that the server is able to differentiate the different types of data sent on the request, a separator is needed. As shown on the image below, the string “ou812--------------8c405ee4e38917c” is the separator or boundary. This separator is formed in the following way:

·         BeginBoundary = Specifies the server that will receive the request which is the string that will separate the data, in this case it is: ou812--------------8c405ee4e38917c.

·         ContentBoundary = Is the string "--" added to the beginning of the BeginBoundary to separate it from the data that will be sent on the request: "--" + BeginBoundary.

·         EndingBoundary = Is another string "--" added to the end: ContentBoundary + "--".

 

 

 

At the end, the lines of the ssfn file can be seen.

 

 

 

How to avoid this?

·         Do not click on the links sent to you by Steam’s chat, Facebook, Skype or any other social network, even if it was sent from an account you know. Keep in mind that your friend could have lost the account and it is now been used to steal others.

·         Verify that the URL is well written, especially if it asks you for your security code.

·         Do not download executables with names similar to “SteamGuard.exe”, they are not legitimate.

·         Do not upload to any website the file that starts with “ssfn”.

·         Follow the security advices found on the Steam official website.

 

 

Recommended link

To obtain more information about this, we recommend the following report:

Netcraft. Steam Community phishing attacks continue unabated.