One of the most rising types of infections these days is known as the "SteamStealer". What does that mean? Well, it's obvious from the name that it's designed to steal accounts used on the popular PC (and soon, console) gaming platform Steam.
There are several thousand "SteamStealers" spread across the internet each day. Most seem to originate from Russia, followed by the United States. Most Steam stealers, after successfully gaining access to your account, spam your friends list with a message. Now, since most "skid-type" Steam stealers allow the user to set a custom message, the message is always different. Typically it's along the lines of something like this:
"lol, wtf? (link)"
"Hey man, I want to trade with you. Here are my items: (link)", "alright while you look at that ill brb let me know when you've looked at them"
"Hey dude theres a weird photo of you: (link)"
There's always a way to tell a Steam Stealer from the real Steam. The most obvious one being the requirement for .NET Framework. Now, a normal user wouldn't notice as most computers come pre-packaged with .NET Framework 4.5, 4.0, 3.5, and 2.0. This is because every Steam stealer is coded in Visual Studio. Most of them are coded in C#, but some are made in VB.NET.
The real Steam does not require .NET Framework to be installed. Steam is coded in C++.
By far the most common Steam stealers are generated by, you guessed it, Steam File Stealer Extreme. I won't be linking to it, but it's the most common one used. For a few months they've been having a "$19.99 sale", with the price marked down to $40. They only accept BitCoin. The actual owner of this website lives in Australia, and it's quite easy to find out who he is. I won't be saying the actual owners name, as I think everyone has the right to privacy, and I don't run around throwing accusations.
Here's a full screencap of the website.
This particular Steam stealer is rather nasty. While most Steam stealers just email the host what you filled on the "Username and Password" box, this stealer comes prepacked complete with a keylogger that can fish out any saved passwords on Chrome, Opera, Internet Explorer, Firefox, and Yandex. It also comes prepackaged with a keylogger for steam (of course), an inventory value calculator, a tool that retrieves the current email for the account, a Steam restarter, a tool that retrieves wallet balances and currency of the current account, and also goes ahead and restarts Steam, for "maximizing Keylogging!". It's worth noting that Steam stealers are a huge problem with Steam, and while most people get caught eventually, for the most part, typically the average Steam Stealer takes 100-200 accounts, which can easily make $500 for the original owner, depending on who's account they steal. Of course, that's only in Steam money, and can only be used to buy games on Steam.
There are more websites that offer the same services, but they're not too interesting to look at, or don't say anything that this site doesn't.
Now, time to analyze these Steam stealers. It's worth noting that I didn't bother to make a bait account for them, but the Steam stealers will automatically fill in your username for you if it detects one, like the real Steam. I'm also aware that some Steam stealers will overwrite TeamSpeak 3 and Mumble executables if it detects them on the system (and essentially turn into Mumble and TeamSpeak 3 stealers), but I don't have those installed, so we won't be seeing that, if any of these actually overwrite them.
These are some variants that I have. Note that not all of these are actually Steam stealers.
First up, lets go ahead and run "img.exe".
This executable goes ahead and kills off the real Steam, and also disables Task Manager. It displays this box, and mimicks the real Steam login page. It also replaces the real Steam.exe with a clone of itself. It's definitely a good fake (much better than the one Steam File Stealer Extreme builds), but there are some obvious issues:
There is no system tray icon. Steam puts on a system tray icon even before it loads. The icon in the Task Bar also does not have the Steam icon, instead, it has the default Visual C# icon. Also, the real Steam almost certainly does not disable Task Manager upon launch.
Also, despite this Steam stealer being recent, it still has the old button names. The new Steam renamed the "Retrieve a lost account" button to "I can't sign in". "Retrieve a lost account" is still used in this steam stealer. The fonts are also different and the Steam logo on the fake version is more pixelated.
What's also interesting about most of these Steam stealers is that they don't actually ever replace the default Steam.exe due to permission issues. It just renames it to Steam.exe.old. If you rename Steam.exe.old to Steam2.exe, you will be able to launch the real Steam.
Compare the two side by side.
Next, lets open a Fiddler4 and Wireshark section, and enter a fake username and password and see where it all gets sent to.
Before we even click "Login", it immediately contacts an IP: 178.63.151.224.
If we do a quick google search for this IP address, we can see it has a domain listed in Google:
Although the who.is reports this IP is located in Berlin, Germany, the webpage is in Russian. This (most likely) means that the owner is not hosting this from his own computer, but rather a VPS.
If we try to enter the IP, we can see that Firefox reports the connection is untrusted.
But we're going to go ahead and add an exception to this. Once we enter the webpage, we can actually see that it is a Russian mirror of the website 2ip.io. Just like that website, it immediately gives you information about your IP, the "name of your computer" (actually your hostname), your current operating system, browser, and other info. It also tried to detect my ISP, but it failed to do so.
If I can say so myself, it's not very interesting.
What happens if we click "Login"?
Once we click Login, the fake Steam immediately shuts down. Then, it goes ahead and opens the real Steam for you.
Immediately, a few IPs are contacted, 23.32.131.235 and 5.101.152.85.
23.32.131.235 belongs to Akami Technologies, a cloud hosting website. This may actually belong to Microsoft rather than a hacker, but it's very strange that this IP was contacted immediately afterwards.
However the most suspicious IP is without a doubt 5.101.152.85. 5.101.152.85 is an IP located in Russia, and is hosted by Beget Ltd. BeGet is a popular web hosting company in Russia, located at beget.ru.
If we do a Google search for 5.101.152.85, we can see it also has its own website. The websites description is not available, as it has been blocked by robots.txt.
But as we all know, we are not at all about staying safe on this website, so we are going to enter it.
However, it seems as though either the author, BeGet, or whoever was maintaining the site, had erased the entire domain (or perhaps never set it up and just used it as a dumping ground) prior to my discovery, as the IP brings an error about nothing being "linked" to it:
Now it's time for my favorite part, which is disassembling the Steam Stealer. We are going to use ILSpy, which in my opinion, is the best .NET Decompiler, and it's also free.
We are going to analyze the img.exe and Steam.exe file. First, let's decompile the Steam.exe file and see what we can get.
Unfortunately, it seems as though this Steam.exe is crypted. We are not going to be able to get much out of it.
Same for the img.exe:
Well, there's not really much to say.. if you do decompile an uncrypted version of it, there's not too much to look at but a few things.
I will try to explain what these functions do to the best of my knowledge. GetCookie gets your Steam cookie, which basically means that it will be able to get past the "Steam Guard" thing by taking your cookie and downloading it to the hacker's computer. GetSessionID does the same thing for the same purpose.
GetGameItems and GetSteamItems gets the victims Steam Game Items and their Steam Items (e.g. gifts, cards, etc).
SendItems sends the items from the victims account to the hackers account.
SpreadToFriends and SpreadToFriendsUsingChat does exactly what they say - they spread the friends using a link and a hacker's choice of message.
GetFriends gets the current friends on the victim's account.
ChatInit initializes the chat.
PostComment will also post comments on friends (and random peoples) profiles, with the same deal as the "chat" spreading routine.
Here is a screenshot of the builder for Steam File Stealer Extreme:
I'll describe what these do:
SteamID64: Each Steam account has a unique ID, these are called SteamID64s. As mentioned in the builder, you can use steamrep.com to get this.
Trade Token: The Third Party Trade Offer URL which contains the trade token that's required.
Trade Partner ID: The Third Party Trade Offer URL which contains the Partner ID that's required.
Trade Message: This will be the trade message sent to you if you get a victim that has an item on your list.
Games: If you want to steal from a specific game you can use this (or you can use all of them). You can steal from Counter Strike: Global Offensive, Team Fortress 2, Dota 2, and Steam Items.
Filters: If you want a specific item to steal, you can filter which ones you want. If you don't want a specific item, you can leave this blank.
Filter Type: You can use this to filter out a specific item type.
Spread Message: This message will be used to spread your malware through friends via commenting and chatting.
Build File builds the file.
Certain variants of Steam stealer, if they detect Steam is open, rather then closing it, will print out a message that says something along the lines of "Steam must close to update. Press ok to install update." or something else. Once the user clicks OK or closes the message box, Steam stealer will begin its spreading routine.
Most of the URLs built with this also contain malicious Javascript files that perform drive-by downloads without the users consent.
In conclusion to this, Steam stealer is a very sneaky way of stealing accounts. The average Joe will not realize that anything's wrong with their computers or Steam upon running this. It's slightly obvious to the more advanced user. To avoid Steam stealer, it's pretty easy. You really just don't click any links that look weird/suspicious in a Steam chat/profile. I find it pretty sad that people resort to stupid, petty things like this, in order to get virtual, pixelated items.
