A friend recently had their Steam account hijacked by someone who then stole their CS:GO inventory. I chatted to the hacked account (and acted all innocent). The owner of the account invited me to a TeamSpeak server. Here (under controlled conditions) is what it did:
As you can see, it uses some rather sneaky social engineering by popping up a message window that tricks the user into thinking they need a plugin for TeamSpeak. On the surface, this seems a not-unreasonable request – especially if you’re not aware that the “Host message” is nothing to do with the TeamSpeak app itself per se. In this case, IE’s SmartScreen filter disliked the file but if you weren’t using IE, the overly-generic filename should raise a red flag.
I told the hacker in Steam chat that my TeamSpeak kept crashing. He sent me a link to a “CS:GO Tournament” website. This carried the same TeamSpeak IP and port that he’d quoted me originally but also a link to an “Anti-Cheat” plugin.
Both this file and the earlier “Sound Plugin” were being hosted on Google Docs. I uploaded them to Virus Total and they had positive scores of a paltry 3/56 and 4/56 respectively.
Next, I ran the files to see what they’d do. The Sound Plugin extracted a file into %tmp% and ran it and it then informed me it needed .NET v3.5 LOL! I dutifully installed it and ran the virus again. Steam opened but then there was a funny flash. The virus had placed a fake login box over the real one to try and capture credentials. I’ve moved it to one side a bit in this screenshot. I used Process Explorer’s target feature to highlight the process responsible for this:
I’ve obscured various processes that give a clue as to how I’m safely analysing this. Notice that the fake UI is from a process called Steam.exe – running from the Temporary folder! Notice also that the executable claims to be by “Valve Software” but crucially does not have a valid digital signature – unlike the real Steam process at the bottom of the list.
I could see the viral files were looking for various installing browsers to steal further info though I didn’t look into this further. What I did see though was that it replaced the genuine Steam.exe with a malicious one. This is as well as the thing shown above. This dodgy version would ensure that a recovered account could get immediately re-stolen!
Anyone who gets their Steam account hijacked has to immediately go to http://support.steampowered.com/ The virus has that covered too by altering the hosts file:
All in all, a pretty nasty piece of malware!