Jump to content
Nytro

Analysis of Steam stealers and the ‘Steam Stealer Extreme’ service

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted (edited)

Analysis of Steam stealers and the ‘Steam Stealer Extreme’ service

Back in the end of November I started to spot some steam stealing malware in a backdoored Mumble installer:

Samples of these kind of stealers appeared more and more often. Around half of December I ended up with 14 unique samples that were actively spread around (see the end of this post for hashes and downloads for these samples):

tumblr_nhnvfuh3Yq1qflx2go1_1280.png

All of them except one are around 250kb or more in size. Only one sample, called ‘SteamDouble.exe’, was 69kb in size:

File name:
SteamDouble.exe

File size:
69.0 KB ( 70656 bytes )

First seen:
2014-12-07

MD5:
5f50e810668942e8d694faeabab08260

SHA1:
b44c087039ea90569291bfe1105693417fb2f84d

SHA256:
21c93477c200563fea732253f0eb2814b17b324e5d533a7c347b1bd7c6267987

ssdeep:
1536:NrNoD6y4E/+JWiiVUIekBixa7vq5KwSTPxkjL/Gv:NrNADqWii2IekBMa7v9wSYY

VirusTotal:

Malwr (Downloadable sample):

STEAMDOUBLE/BRUTALITY analysis

The ‘SteamDouble.exe’ sample came from a link originally send in a Steam chat message. The text of the message was: “”lol, wtf? http://img-pic[.]com/image612_14[.]jpeg”. When visiting this link the server on the other end responded with:

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Sun, 04 Jan 2015 14:15:03 GMT

Content-Type: text/html; charset=iso-8859-1

Connection: keep-alive

Location:
[.]gl/QaidJm

This was a redirect towards a Google shortlink: “goo[.]gl/QaidJm”. In turn this shortlink redirects towards ‘steamdouble[.]com’ website:

tumblr_nhnvfuh3Yq1qflx2go4_r1_1280.png

It advertises the so called ‘CS:GO Skin Duplicator’. The files for this tool are hosted on a filesharing service from russia called ‘exfile.ru’. The website itself also features a video showing the usage of the tool:

The video shows a tool which allows, as the tool’s name says, a user to duplicate CS:GO items. In the video it links to ‘csgoskinduplication[.]com’ this is the exact same website as ‘steamdouble[.]com’. The sample I grabbed back when I first saw this appear was not obfuscated or crypted. The current version available from the site has a crypted fake DLL which is decrypted and then ran. This payload is the same one I will be showing in the further analysis, just packed/crypted. It seems when the guy behind this first started he didn’t seem to care about packing/crypting his payload.

The ‘SteamDouble.exe’ payload is written in C#. Throwing it in a tool like ILSpy gives us a nice set of source code files especially because the author didn’t obfuscate any of the code. Just by looking at the project title ‘Stealer’ and the folder names inside the project like ‘SteamStealer’ it gives us a clear indication of what this sample does:

tumblr_nhnvfuh3Yq1qflx2go9_r1_400.png

The first folder named ‘Steam4NET’ contains a modified, stripped or old version of the Steam4NET open source .NET wrapper around the Steamworks C++ interfaces hosted on Github: https://github.com/SteamRE/Steam4NET

tumblr_nho0irgI821qflx2go2_1280.png

Looking at the main function we see the first thing it does is download an image which is stored in the appdata folder and shown to the user:

tumblr_nhnvfuh3Yq1qflx2go3_r1_1280.png

The image that is downloaded and displayed shows a screenshot of a russian DOTA2 account with the items it has available. (The original message send on Steam chat was an ‘image’ link so this makes sense to hide its real purpose). The downloaded image:

tumblr_nhnvfuh3Yq1qflx2go10_r1_1280.png

The second part of the main function is where the actual ‘Steam stealing’ takes place:

tumblr_nhnvfuh3Yq1qflx2go8_r1_1280.png

First it creators a new SteamWorker and adds an ‘offer’ which is used to trade items. The Steam cookies are parsed and as long as there are Steam cookies (aka the user is logged in to Steam) it will perform the ‘Spam.SpamInFriendList’ function which contains the message which got me on the sample in the first place “lol, wtf? http://img-pic[.]com/image612_14[.]jpeg”.

After this it adds the items it wants to steal which is a long list of items this guy is interested in. The last step is where it actually sends the item to trade to his own account. On the other end the guy only has to accept the trade offers (or have some automated way of doing it) and the items will belong to him. Very simple but an effective way of stealing items.

Going back to the original ‘addOffer’ function if we look at the arguments it expects we can find who is behind this (or at least the account used for the malicious trading):

tumblr_nhnvfuh3Yq1qflx2go2_r1_1280.png

The first argument to this function is the user’s Steam ID. This can be put in a SteamCommunity URL to go the user’s profile. The URL for this is: ‘http://steamcommunity.com/profiles/<SteamID>/’, this will redirect to the user’s real ID. In this case the SteamID used is ‘76561198161815322’, if we put this is in we get redirected to ‘Steam Community :: prewelec. This is the profile of a guy going by the nickname ‘prewelec’ who is supposedly from the US:

tumblr_nho0irgI821qflx2go3_1280.png

On the bottom the user commented some trade URL’s with the ID and token, these are the same items used for the ‘addOffer’ function’s 2nd and 3rd argument.

Looking at this user’s inventory it doesn’t show a very big amount of items but it could be this is just a middle-man account used to trade the items further:

tumblr_nhnvfuh3Yq1qflx2go6_r1_1280.png

Another interesting thing from this profile is the comments it leaves on some other gamer’s profile:

tumblr_nhnvfuh3Yq1qflx2go7_r1_400.png

The comment is pretty much the same message it spams around via the Steam chat ‘Spam.SpamInFriendList’ function.

This sample stood out and appears to be a custom thing created by a criminal specifically for his needs. The other samples however did not match this sample, not only by size.

The Steam Stealer Extreme service

From the 14 samples I obtained the ‘SteamDouble’ sample stood out of the bunch due to the size. The other 13 are all around 250kb in size.

Throwing any of the 250kb and bigger samples into ILSpy gives us the same decompilation structure:

tumblr_nho0irgI821qflx2go1_250.png

This tells me its the same tool/stealer used in all of these samples. Looking at the function inside the decompiled code we see similar functionality as with the ‘SteamDouble’ Stealer:

tumblr_nhnvfuh3Yq1qflx2go5_r1_400.png

It can gather the Steam cookie, add items to be stolen, post comments (on profile pages) to spread and also has two functions indicating of a spreading mechanism towards friends (be it Steam chat or profile comments): ‘SpreadToFriends’ and ‘SpreadToFriendsUsingChat’.

Just by looking at these functions we get a clear picture of what the purpose is of this malware. The builder used for these samples does obfuscate some of the code which causes some trouble for the decompiler. Of course it can be fixed but seeing as the purpose of this thing is already clear I’m not going to waste time on cleaning all the samples.

The more interesting question here is what is ‘Steam Stealer Extreme’. By simply googling for it you can find the ‘sales’ website located at steamstealer[.]com, steamstealer[.]org and steamstealer[.]net. It has the title ‘Steam Stealer Extreme’ which is marketed as ‘Revolutionizing the Steam Item Stealing Industry’, erhm… yes.

An about section details some more information on ‘the product’:

Steam Stealer Extreme is the new Steam Stealer completely custom coded (you can PM us and get some proof if you want!) and functions well. Steam Stealer Extreme is not like other steam stealers which is based off the same code as found on the Russian forum where it was leaked. It has extra features like filters (which are properly coded) and spreading your file via commenting on the client’s friends’ profiles * NEW * Spreads Via Chat! We’re a no bullshit product with little disadvantages. Our stealer does work and will work until Steam decide to patch the methods used. Steam Stealer Extreme is about getting the items you want and when you want.

They also have some video’s showing how it works on their YouTube channel: https://www.youtube.com/channel/UC7MjY8duE1xh-tTWpAsj_o

The site also contains an image of the ‘builder’ for the stealer:

tumblr_nho0irgI821qflx2go7_r1_1280.png

A list of features for the stealer:

tumblr_nho0irgI821qflx2go5_r1_1280.png

Information on how to purchase ‘Steam Stealer Extreme’, which is currently only available via Bitcoin payment:

tumblr_nho0irgI821qflx2go6_r1_1280.png

And at the bottom there’s also some contact information:

tumblr_nho0irgI821qflx2go4_r1_1280.png

Looking at the registration date of the website the .com, .org and .net websites for ‘Steam Stealer Extreme’ were registered on 2014-11-16 and all hosted on a VPS owned by OVH France at 92.222.189.92.

The email address ‘brynaldo8’ in the contact section from the site is ‘brynaldo8@gmail.com’. Interestingly if you simply google for this email address you will find the following pastebin post which contains a database dump with the (hashed) password for ‘LaPanthere’ which is the name this guy goes by:

tumblr_nho0irgI821qflx2go8_r1_1280.png

(Originally located at: LaPanthere SQL - Pastebin.com)

The ‘LaPanthere’ guy also has a PasteBin account at LaPanthere's Pastebin - Pastebin.com:

tumblr_nho0irgI821qflx2go9_r1_1280.png

Combining ‘LaPanthere’ and ‘brynaldo8’ also shows a dump from a post by Brian Krebs about ‘ragebooter’ being hacked. The dump also contains the user details of ‘LaPanthere’ but with a hotmail.com email address instead of gmail.com:

tumblr_nhockelZ4Q1qflx2go1_1280.png

(Original dump located at: http://krebsonsecurity.com/wp-content/uploads/2013/08/ragebooter.txt)

Finding this guy’s Steam profile is also easy, it actually matches the avatar from the PasteBin account. (Steam profile: Steam Community :: LaPanthere):

tumblr_nhockelZ4Q1qflx2go2_r1_1280.png

This show’s ‘LaPanthere’ is an Australian guy.

I won’t go any further into this person’s identity as I’m not here to make personal allegations against someone. All I am going to say about it is that this person is rather sloppy with what he’s leaving behind as a trail. Finding out ‘LaPanthere”s real identity is not that hard and only a few steps away from what I’ve shown.

I would expect a bit more from someone running a service like this, but keeping in mind his public profile(s) are on hackforums and leakforums it says enough :).

As for the ‘Steam Stealer Extreme’ malware going around, just don’t start running everything being send to you via chat messages or comments. Would you have your items stolen send a message to the Valve support staff explaining your situation, they will be able to help you out.

Detection wise, Antivirus products are still somewhat behind on detecting this one properly but its getting there (slowly).

All the samples I’ve shown are available for download from Malwr, see the next section for details and links to all the files, enjoy!

Steam Stealer Extreme samples:

Note: These are not all the Steam Stealer Extreme samples out there. These are just the ones I found when focusing on find out what they were and where it came from back in November through December 2014.

File name: Cracked SSE Builder.exe

File size: 363.5 KB ( 372224 bytes )

First seen: 2014-11-25

MD5: 38569912bdd5e0f9d13d5e8b2c00800c

SHA1: f153bf9d850f396e30f507d526a7a365ef93bdfd

SHA256: 700c38b312e1404b5d488767e1f45171848af00d4232cf9c2338e76e7648eb59

ssdeep: 6144:ODrM4scvXCPGrLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxd:ODr/sGXoT/dEWP3GxtJw4Mp

VirusTotal: https://www.virustotal.com/en/file/700c38b312e1404b5d488767e1f45171848af00d4232cf9c2338e76e7648eb59/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/MWNkYWQwYmRjZGQ3NGUyNWJmZDY5ODA2YTgwOTQ3Nzc/

File name: CSGO Hack v1 - Coded by Empathy.exe

File size: 355.0 KB ( 363520 bytes )

First seen: 2014-12-03

MD5: 99fd0d39b96009cd17a343d36e3f6c75

SHA1: 107090152ec18240064b035181a7a5220b7152d0

SHA256: 7b660ed6ecbe98591802d6547f75f133434e92f45fa4bd5b4b4053f2975ba050

ssdeep: 6144:45oNxrSsfjLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxIkEFMa:4+NbC/dEWP3GxtJw4MfE

VirusTotal: https://www.virustotal.com/en/file/7b660ed6ecbe98591802d6547f75f133434e92f45fa4bd5b4b4053f2975ba050/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/YmEzYzBkOWNmYWIyNGEwZjgyOGYyMTdhMDljNGFjOGQ/

File name: CSGO Multi-Hack by LionHacks.exe

File size: 499.0 KB ( 510976 bytes )

First seen: 2014-11-26

MD5: b1b8915930cd72ef8fac0b449b13f966

SHA1: 040461f0a9b1be066158caa50a21ae9d58a07e89

SHA256: 3508518052ff500ac1d4e4e72dea79844b38660178f45c41ecfe47fc9abcc339

ssdeep: 6144:0ZQel9dgZgdLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxgL6ceixULxr9TBvctzF6WI:0ZQcdI1/dEWP3GxtJw4MApxuzkt0yij

VirusTotal: https://www.virustotal.com/en/file/3508518052ff500ac1d4e4e72dea79844b38660178f45c41ecfe47fc9abcc339/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/ZWM1NTcxYWYwOWIwNDhlZGEwNTdjNWQzMWJlNTA4NDI/

File name: CsgoSound.exe

File size: 282.2 KB ( 289002 bytes )

First seen: 2014-12-03

MD5: 4928ed30b0f9eee8078baa74dd0d7729

SHA1: 9b2689a6236d172499aa6019bf99c74dccb169e0

SHA256: 642a51ef3844cfe8389bf41b288ed42ce1c10998de142c5a4529929ed3d35e2c

ssdeep: 6144:L0fzV71SinbLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxwIkI:gzjS/dEWP3GxtJw4MEq

VirusTotal: https://www.virustotal.com/en/file/642a51ef3844cfe8389bf41b288ed42ce1c10998de142c5a4529929ed3d35e2c/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/NjFkY2Q2OGM4OTBiNDNlNjhjMmMzYTY3Nzg0NmM5MDI/

File name: Easy Trader.exe

File size: 445.0 KB ( 455680 bytes )

First seen: 2014-11-20

MD5: 4e29168df760a5577e61d0b6e9e05704

SHA1: 8f323230d114800d6aadc3dfa1abf045030ddc43

SHA256: b81fe9ec92388484fa5a8542aaa5f9206e50871f664158a3734d891b1e325147

ssdeep: 6144:uwAArfLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhx8mMbxuszfkOffcXF+cOr+9lPF:g/dEWP3GxtJw4MNMbxjdffgj

VirusTotal: https://www.virustotal.com/en/file/b81fe9ec92388484fa5a8542aaa5f9206e50871f664158a3734d891b1e325147/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/MjM4NWNmMWI2YTg3NDdiMTgxYjcwYWJiOTc0MGUxYWU/

File name: ESAntiCheat.exe

File size: 257.5 KB ( 263680 bytes )

First seen: 2014-11-25

MD5: 65a3f03dc222ae27cb38cf5ef737f92d

SHA1: ebc1c3e230afa07b40a49b037a3e349907e04fa0

SHA256: f3abc0a2eaf9128833722e6db6c7e34b7228345a983991ba165f5eecb59d5141

ssdeep: 6144:RTfzI+RCaduLCrLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhx:RTblEB3/dEWP3GxtJw4M

VirusTotal: https://www.virustotal.com/en/file/f3abc0a2eaf9128833722e6db6c7e34b7228345a983991ba165f5eecb59d5141/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/MzBiMDJlYmEwNTkwNDE0MDliMjdmNTdhMDcyZTRjOGE/

File name: HashChanger.exe

File size: 544.0 KB ( 557056 bytes )

First seen: 2014-11-23

MD5: 732f303f34afa01e16fe3fc67a4e88ee

SHA1: 7e26ddbf6e223ca17ffb9dd62831b5588ccd9b0d

SHA256: c5e77e7b716c52bdd674e21e921d6b4a0bf09f5fd8d019c5e9e1835045124b65

ssdeep: 12288:58srPC/lUx539N3dPysQvxcRy1uvdy2jZZJAmnI/v:51b4qTzFDQvx65w2ymI

VirusTotal: https://www.virustotal.com/en/file/c5e77e7b716c52bdd674e21e921d6b4a0bf09f5fd8d019c5e9e1835045124b65/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/MTllYWE2NzM4NWYwNGE1M2IyZDkxNjJmNjk2NjZmZmM/

File name: Knife Exploit.exe

File size: 444.0 KB ( 454656 bytes )

First seen: 2014-11-29

MD5: 22d1eb7f6536b3873318ef143b11982b

SHA1: 13514fcf49b5e40fbec16cff58ab328b70d1e9f0

SHA256: 87f9c7b0e3a00c3240be1a578c5340bd433182209df2ff8a9bae9f51f9c4d74a

ssdeep: 6144:dnylhPXVLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxl+WA1hzu8UYh:lyV0/dEWP3GxtJw4MR+Fr

VirusTotal: https://www.virustotal.com/en/file/87f9c7b0e3a00c3240be1a578c5340bd433182209df2ff8a9bae9f51f9c4d74a/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/YWIyMGY0OWZhNTUyNDVjY2EyYjgxNTE1MmEzNDgzNDg/

File name: SSBuilder.exe

File size: 619.0 KB ( 633856 bytes )

First seen: 2014-11-29

MD5: aad6c525784c7e9ede917c1d57fbf9fa

SHA1: ede0c60b18ce52b6e50f7d18c3eccb27109cf79c

SHA256: b2a1bfdc72a0b92b6ea510c98f2954ea94ecbab81eee13a7db379afb330c9d28

ssdeep: 6144:pXIa5sZuZTLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxD4rrDBUYyMDEwk:pr5ssM/dEWP3GxtJw4MC

VirusTotal: https://www.virustotal.com/en/file/b2a1bfdc72a0b92b6ea510c98f2954ea94ecbab81eee13a7db379afb330c9d28/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/NzgyYWNhN2I1ZjM4NGUwMDgzYTRkNjViNmYxYWMyOWI/

File name: SSE_Stealer_76561197960568995.exe

File size: 253.0 KB ( 259072 bytes )

First seen: 2014-11-21

MD5: 05738a9c72ecea220dd668068b0d4a12

SHA1: 9d77843aaf9372cfb27978dd6c1034f77325edac

SHA256: 3668b53bcb4f9031e585f58f01b638f2afe5e9e128a63994ee05e77a0f5e2ff4

ssdeep: 6144:tnFRpTJrYEYpsEzLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhx:tnFRpTJ1Y8/dEWP3GxtJw4M

VirusTotal: https://www.virustotal.com/en/file/3668b53bcb4f9031e585f58f01b638f2afe5e9e128a63994ee05e77a0f5e2ff4/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/ZTBhNjBjZjc5NWUxNDdiYTg3YzE2Yjc5YjlhNWE2MTc/

File name: Steam Inventory Stealer - Builder.exe

File size: 443.0 KB ( 453632 bytes )

First seen: 2014-11-21

MD5: 2f8b66e5ca6f4d569b05f7ebf9b41457

SHA1: b30351911491fcf8809c1e469c80f393c506ef1d

SHA256: 4f6c96c12f72fbf6095fd8484f985d244d61b2153644430736e2d854790e644a

ssdeep: 6144:v83x+y+eLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhx4MWwblGwsPtIGacnW:vx7/dEWP3GxtJw4McpgDsPrakW

VirusTotal: https://www.virustotal.com/en/file/4f6c96c12f72fbf6095fd8484f985d244d61b2153644430736e2d854790e644a/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/MTQzMGIzYWNhYWYyNGNlNGI3NGM3ZTk0MTQ5ODkxOGY/

File name: SteamTradeHacker-v.3.6.exe

File size: 257.0 KB ( 263168 bytes )

First seen: 2014-11-22

MD5: e834f7a3c508f24e29caf336e27d408d

SHA1: 8874a35610d391a493f21618a01d79976f6a2ba5

SHA256: 737d7ac17382252ce0f7bf185e54675d42568057c23917d58189c1b8c0065478

ssdeep: 6144:GYLZOFDdMbLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhx:5ZCp/dEWP3GxtJw4M

VirusTotal: https://www.virustotal.com/en/file/737d7ac17382252ce0f7bf185e54675d42568057c23917d58189c1b8c0065478/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/YjBmMGU5OWY2NTczNDZlNGIzYzE1MDYzYTAxY2ZjYjY/

File name: Stub.exe

File size: 354.5 KB ( 363008 bytes )

First seen: 2014-11-29

MD5: dc88276de2ad28c7af2578e7f691b285

SHA1: 17bd2037abcc9a248cfb3e991be3e6e73bcfad18

SHA256: 4016e2a60be405e610245db9a87c807354c51db557a49103520f69b280f338dc

ssdeep: 6144:DIqY6P0o2WU0dLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxtq4i3:cqYjocZ/dEWP3GxtJw4Mxq1

VirusTotal: https://www.virustotal.com/en/file/4016e2a60be405e610245db9a87c807354c51db557a49103520f69b280f338dc/analysis/

Malwr (Downloadable sample): https://malwr.com/analysis/N2YxZDU3M2M1YzdkNDIzOGE2Mjk3ZjQ0MGM3YjYwYjY/

7:49am | URL: 0x3a - Security Specialist and programmer by trade - Analysis of Steam stealers and the ‘Steam Stealer Extreme’ service

Sursa: 0x3a - Security Specialist and programmer by trade - Analysis of Steam stealers and the ‘Steam Stealer Extreme’ service

Edited by Nytro

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...