Analysis of Steam stealers and the ‘Steam Stealer Extreme’ service

Back in the end of November I started to spot some steam stealing malware in a backdoored Mumble installer:

Samples of these kind of stealers appeared more and more often. Around half of December I ended up with 14 unique samples that were actively spread around (see the end of this post for hashes and downloads for these samples):

Analysis of Steam stealers and the ‘Steam Stealer Extreme’ service

All of them except one are around 250kb or more in size. Only one sample, called ‘SteamDouble.exe’, was 69kb in size:

File name: SteamDouble.exe
File size: 69.0 KB ( 70656 bytes )
First seen: 2014-12-07
MD5: 5f50e810668942e8d694faeabab08260
SHA1: b44c087039ea90569291bfe1105693417fb2f84d
SHA256: 21c93477c200563fea732253f0eb2814b17b324e5d533a7c347b1bd7c6267987
ssdeep: 1536:NrNoD6y4E/+JWiiVUIekBixa7vq5KwSTPxkjL/Gv:NrNADqWii2IekBMa7v9wSYY
VirusTotal: https://www.virustotal.com/en/file/21c93477c200563fea732253f0eb2814b17b324e5d533a7c347b1bd7c6267987/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/NDQwMzE3ZTI4OTc5NGZkYmI4MDc4YzhhNDMwOGFmNjA/

STEAMDOUBLE/BRUTALITY analysis

The ‘SteamDouble.exe’ sample came from a link originally send in a Steam chat message. The text of the message was: “”lol, wtf? http://img-pic[.]com/image612_14[.]jpeg”. When visiting this link the server on the other end responded with:

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sun, 04 Jan 2015 14:15:03 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Location: http://goo[.]gl/QaidJm

This was a redirect towards a Google shortlink: “goo[.]gl/QaidJm”. In turn this shortlink redirects towards ‘steamdouble[.]com’ website:

image

It advertises the so called ‘CS:GO Skin Duplicator’. The files for this tool are hosted on a filesharing service from russia  called ‘exfile.ru’. The website itself also features a video showing the usage of the tool:

The video shows a tool which allows, as the tool’s name says, a user to duplicate CS:GO items. In the video it links to ‘csgoskinduplication[.]com’ this is the exact same website as ‘steamdouble[.]com’. The sample I grabbed back when I first saw this appear was not obfuscated or crypted. The current version available from the site has a crypted fake DLL which is decrypted and then ran. This payload is the same one I will be showing in the further analysis, just packed/crypted. It seems when the guy behind this first started he didn’t seem to care about packing/crypting his payload.

The ‘SteamDouble.exe’ payload is written in C#. Throwing it in a tool like ILSpy gives us a nice set of source code files especially because the author didn’t obfuscate any of the code. Just by looking at the project title ‘Stealer’ and the folder names inside the project like ‘SteamStealer’ it gives us a clear indication of what this sample does:

image

The first folder named ‘Steam4NET’ contains a modified, stripped or old version of the Steam4NET open source .NET wrapper around the Steamworks C++ interfaces hosted on Github: https://github.com/SteamRE/Steam4NET

image

Looking at the main function we see the first thing it does is download an image which is stored in the appdata folder and shown to the user:

image

The image that is downloaded and displayed shows a screenshot of a russian DOTA2 account with the items it has available. (The original message send on Steam chat was an ‘image’ link so this makes sense to hide its real purpose). The downloaded image:

image

The second part of the main function is where the actual ‘Steam stealing’ takes place:

image

First it creators a new SteamWorker and adds an ‘offer’ which is used to trade items. The Steam cookies are parsed and as long as there are Steam cookies (aka the user is logged in to Steam) it will perform the ‘Spam.SpamInFriendList’ function which contains the message which got me on the sample in the first place “lol, wtf? http://img-pic[.]com/image612_14[.]jpeg”.
After this it adds the items it wants to steal which is a long list of items this guy is interested in. The last step is where it actually sends the item to trade to his own account. On the other end the guy only has to accept the trade offers (or have some automated way of doing it) and the items will belong to him. Very simple but an effective way of stealing items.

Going back to the original ‘addOffer’ function if we look at the arguments it expects we can find who is behind this (or at least the account used for the malicious trading):

image

The first argument to this function is the user’s Steam ID. This can be put in a SteamCommunity URL to go the user’s profile. The URL for this is: ‘http://steamcommunity.com/profiles//’, this will redirect to the user’s real ID. In this case the SteamID used is ‘76561198161815322’, if we put this is in we get redirected to ‘http://steamcommunity.com/id/prewen/’. This is the profile of a guy going by the nickname ‘prewelec’ who is supposedly from the US:

image

On the bottom the user commented some trade URL’s with the ID and token, these are the same items used for the ‘addOffer’ function’s 2nd and 3rd argument.
Looking at this user’s inventory it doesn’t show a very big amount of items but it could be this is just a middle-man account used to trade the items further:

image

Another interesting thing from this profile is the comments it leaves on some other gamer’s profile:

image

The comment is pretty much the same message it spams around via the Steam chat ‘Spam.SpamInFriendList’ function.

This sample stood out and appears to be a custom thing created by a criminal specifically for his needs. The other samples however did not match this sample, not only by size.

The Steam Stealer Extreme service

From the 14 samples I obtained the ‘SteamDouble’ sample stood out of the bunch due to the size. The other 13 are all around 250kb in size.

Throwing any of the 250kb and bigger samples into ILSpy gives us the same decompilation structure:

image

This tells me its the same tool/stealer used in all of these samples. Looking at the function inside the decompiled code we see similar functionality as with the ‘SteamDouble’ Stealer:

image

It can gather the Steam cookie, add items to be stolen, post comments (on profile pages) to spread and also has two functions indicating of a  spreading mechanism towards friends (be it Steam chat or profile comments): ‘SpreadToFriends’ and ‘SpreadToFriendsUsingChat’.

Just by looking at these functions we get a clear picture of what the purpose is of this malware. The builder used for these samples does obfuscate some of the code which causes some trouble for the decompiler. Of course it can be fixed but seeing as the purpose of this thing is already clear I’m not going to waste time on cleaning all the samples.

The more interesting question here is what is ‘Steam Stealer Extreme’. By simply googling for it you can find the ‘sales’ website located at steamstealer[.]com, steamstealer[.]org and steamstealer[.]net. It has the title ‘Steam Stealer Extreme’ which is marketed as ‘Revolutionizing the Steam Item Stealing Industry’, erhm… yes.
An about section details some more information on ‘the product’:

Steam Stealer Extreme is the new Steam Stealer completely custom coded (you can PM us and get some proof if you want!) and functions well. Steam Stealer Extreme is not like other steam stealers which is based off the same code as found on the Russian forum where it was leaked. It has extra features like filters (which are properly coded) and spreading your file via commenting on the client’s friends’ profiles * NEW * Spreads Via Chat! We’re a no bullshit product with little disadvantages. Our stealer does work and will work until Steam decide to patch the methods used. Steam Stealer Extreme is about getting the items you want and when you want.

They also have some video’s showing how it works on their YouTube channel: https://www.youtube.com/channel/UC7MjY8duE1xh-tTWpAsj_o

The site also contains an image of the ‘builder’ for the stealer:

image

A list of features for the stealer:

image

Information on how to purchase ‘Steam Stealer Extreme’, which is currently only available via Bitcoin payment:

image

And at the bottom there’s also some contact information:

image

Looking at the registration date of the website the .com, .org and .net websites for ‘Steam Stealer Extreme’ were registered on 2014-11-16 and all hosted on a VPS owned by OVH France at 92.222.189.92.

The email address ‘brynaldo8’ in the contact section from the site is ‘brynaldo8@gmail.com’. Interestingly if you simply google for this email address you will find the following pastebin post which contains a database dump with the (hashed) password for ‘LaPanthere’ which is the name this guy goes by:

image

(Originally located at: http://pastebin.com/QaeS2D17)

The ‘LaPanthere’ guy also has a PasteBin account at http://pastebin.com/u/LaPanthere:

image

Combining ‘LaPanthere’ and ‘brynaldo8’ also shows a dump from a post by Brian Krebs about ‘ragebooter’ being hacked. The dump also contains the user details of ‘LaPanthere’ but with a hotmail.com email address instead of gmail.com:

image

(Original dump located at: http://krebsonsecurity.com/wp-content/uploads/2013/08/ragebooter.txt)

Finding this guy’s Steam profile is also easy, it actually matches the avatar from the PasteBin account. (Steam profile: http://steamcommunity.com/id/lapanthere):

image

This show’s ‘LaPanthere’ is an Australian guy.

I won’t go any further into this person’s identity as I’m not here to make personal allegations against someone. All I am going to say about it is that this person is rather sloppy with what he’s leaving behind as a trail. Finding out ‘LaPanthere’’s real identity is not that hard and only a few steps away from what I’ve shown.
I would expect a bit more from someone running a service like this, but keeping in mind his public profile(s) are on hackforums and leakforums it says enough :).

As for the ‘Steam Stealer Extreme’ malware going around, just don’t start running everything being send to you via chat messages or comments. Would you have your items stolen send a message to the Valve support staff explaining your situation, they will be able to help you out.
Detection wise, Antivirus products are still somewhat behind on detecting this one properly but its getting there (slowly).

All the samples I’ve shown are available for download from Malwr, see the next section for details and links to all the files, enjoy!

Steam Stealer Extreme samples:

Note: These are not all the Steam Stealer Extreme samples out there. These are just the ones I found when focusing on find out what they were and where it came from back in November through December 2014.

File name: Cracked SSE Builder.exe
File size: 363.5 KB ( 372224 bytes )
First seen: 2014-11-25
MD5: 38569912bdd5e0f9d13d5e8b2c00800c
SHA1: f153bf9d850f396e30f507d526a7a365ef93bdfd
SHA256: 700c38b312e1404b5d488767e1f45171848af00d4232cf9c2338e76e7648eb59
ssdeep: 6144:ODrM4scvXCPGrLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxd:ODr/sGXoT/dEWP3GxtJw4Mp
VirusTotal: https://www.virustotal.com/en/file/700c38b312e1404b5d488767e1f45171848af00d4232cf9c2338e76e7648eb59/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/MWNkYWQwYmRjZGQ3NGUyNWJmZDY5ODA2YTgwOTQ3Nzc/

File name: CSGO Hack v1 – Coded by Empathy.exe
File size: 355.0 KB ( 363520 bytes )
First seen: 2014-12-03
MD5: 99fd0d39b96009cd17a343d36e3f6c75
SHA1: 107090152ec18240064b035181a7a5220b7152d0
SHA256: 7b660ed6ecbe98591802d6547f75f133434e92f45fa4bd5b4b4053f2975ba050
ssdeep: 6144:45oNxrSsfjLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxIkEFMa:4+NbC/dEWP3GxtJw4MfE
VirusTotal: https://www.virustotal.com/en/file/7b660ed6ecbe98591802d6547f75f133434e92f45fa4bd5b4b4053f2975ba050/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/YmEzYzBkOWNmYWIyNGEwZjgyOGYyMTdhMDljNGFjOGQ/

File name: CSGO Multi-Hack by LionHacks.exe
File size: 499.0 KB ( 510976 bytes )
First seen: 2014-11-26
MD5: b1b8915930cd72ef8fac0b449b13f966
SHA1: 040461f0a9b1be066158caa50a21ae9d58a07e89
SHA256: 3508518052ff500ac1d4e4e72dea79844b38660178f45c41ecfe47fc9abcc339
ssdeep: 6144:0ZQel9dgZgdLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxgL6ceixULxr9TBvctzF6WI:0ZQcdI1/dEWP3GxtJw4MApxuzkt0yij
VirusTotal: https://www.virustotal.com/en/file/3508518052ff500ac1d4e4e72dea79844b38660178f45c41ecfe47fc9abcc339/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/ZWM1NTcxYWYwOWIwNDhlZGEwNTdjNWQzMWJlNTA4NDI/

File name: CsgoSound.exe
File size: 282.2 KB ( 289002 bytes )
First seen: 2014-12-03
MD5: 4928ed30b0f9eee8078baa74dd0d7729
SHA1: 9b2689a6236d172499aa6019bf99c74dccb169e0
SHA256: 642a51ef3844cfe8389bf41b288ed42ce1c10998de142c5a4529929ed3d35e2c
ssdeep: 6144:L0fzV71SinbLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxwIkI:gzjS/dEWP3GxtJw4MEq
VirusTotal: https://www.virustotal.com/en/file/642a51ef3844cfe8389bf41b288ed42ce1c10998de142c5a4529929ed3d35e2c/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/NjFkY2Q2OGM4OTBiNDNlNjhjMmMzYTY3Nzg0NmM5MDI/

File name: Easy Trader.exe
File size: 445.0 KB ( 455680 bytes )
First seen: 2014-11-20
MD5: 4e29168df760a5577e61d0b6e9e05704
SHA1: 8f323230d114800d6aadc3dfa1abf045030ddc43
SHA256: b81fe9ec92388484fa5a8542aaa5f9206e50871f664158a3734d891b1e325147
ssdeep: 6144:uwAArfLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhx8mMbxuszfkOffcXF+cOr+9lPF:g/dEWP3GxtJw4MNMbxjdffgj
VirusTotal: https://www.virustotal.com/en/file/b81fe9ec92388484fa5a8542aaa5f9206e50871f664158a3734d891b1e325147/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/MjM4NWNmMWI2YTg3NDdiMTgxYjcwYWJiOTc0MGUxYWU/

File name: ESAntiCheat.exe
File size: 257.5 KB ( 263680 bytes )
First seen: 2014-11-25
MD5: 65a3f03dc222ae27cb38cf5ef737f92d
SHA1: ebc1c3e230afa07b40a49b037a3e349907e04fa0
SHA256: f3abc0a2eaf9128833722e6db6c7e34b7228345a983991ba165f5eecb59d5141
ssdeep: 6144:RTfzI+RCaduLCrLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhx:RTblEB3/dEWP3GxtJw4M
VirusTotal: https://www.virustotal.com/en/file/f3abc0a2eaf9128833722e6db6c7e34b7228345a983991ba165f5eecb59d5141/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/MzBiMDJlYmEwNTkwNDE0MDliMjdmNTdhMDcyZTRjOGE/

File name: HashChanger.exe
File size: 544.0 KB ( 557056 bytes )
First seen: 2014-11-23
MD5: 732f303f34afa01e16fe3fc67a4e88ee
SHA1: 7e26ddbf6e223ca17ffb9dd62831b5588ccd9b0d
SHA256: c5e77e7b716c52bdd674e21e921d6b4a0bf09f5fd8d019c5e9e1835045124b65
ssdeep: 12288:58srPC/lUx539N3dPysQvxcRy1uvdy2jZZJAmnI/v:51b4qTzFDQvx65w2ymI
VirusTotal: https://www.virustotal.com/en/file/c5e77e7b716c52bdd674e21e921d6b4a0bf09f5fd8d019c5e9e1835045124b65/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/MTllYWE2NzM4NWYwNGE1M2IyZDkxNjJmNjk2NjZmZmM/

File name: Knife Exploit.exe
File size: 444.0 KB ( 454656 bytes )
First seen: 2014-11-29
MD5: 22d1eb7f6536b3873318ef143b11982b
SHA1: 13514fcf49b5e40fbec16cff58ab328b70d1e9f0
SHA256: 87f9c7b0e3a00c3240be1a578c5340bd433182209df2ff8a9bae9f51f9c4d74a
ssdeep: 6144:dnylhPXVLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxl+WA1hzu8UYh:lyV0/dEWP3GxtJw4MR+Fr
VirusTotal: https://www.virustotal.com/en/file/87f9c7b0e3a00c3240be1a578c5340bd433182209df2ff8a9bae9f51f9c4d74a/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/YWIyMGY0OWZhNTUyNDVjY2EyYjgxNTE1MmEzNDgzNDg/

File name: SSBuilder.exe
File size: 619.0 KB ( 633856 bytes )
First seen: 2014-11-29
MD5: aad6c525784c7e9ede917c1d57fbf9fa
SHA1: ede0c60b18ce52b6e50f7d18c3eccb27109cf79c
SHA256: b2a1bfdc72a0b92b6ea510c98f2954ea94ecbab81eee13a7db379afb330c9d28
ssdeep: 6144:pXIa5sZuZTLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxD4rrDBUYyMDEwk:pr5ssM/dEWP3GxtJw4MC
VirusTotal: https://www.virustotal.com/en/file/b2a1bfdc72a0b92b6ea510c98f2954ea94ecbab81eee13a7db379afb330c9d28/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/NzgyYWNhN2I1ZjM4NGUwMDgzYTRkNjViNmYxYWMyOWI/

File name: SSE_Stealer_76561197960568995.exe
File size: 253.0 KB ( 259072 bytes )
First seen: 2014-11-21
MD5: 05738a9c72ecea220dd668068b0d4a12
SHA1: 9d77843aaf9372cfb27978dd6c1034f77325edac
SHA256: 3668b53bcb4f9031e585f58f01b638f2afe5e9e128a63994ee05e77a0f5e2ff4
ssdeep: 6144:tnFRpTJrYEYpsEzLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhx:tnFRpTJ1Y8/dEWP3GxtJw4M
VirusTotal: https://www.virustotal.com/en/file/3668b53bcb4f9031e585f58f01b638f2afe5e9e128a63994ee05e77a0f5e2ff4/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/ZTBhNjBjZjc5NWUxNDdiYTg3YzE2Yjc5YjlhNWE2MTc/

File name: Steam Inventory Stealer – Builder.exe
File size: 443.0 KB ( 453632 bytes )
First seen: 2014-11-21
MD5: 2f8b66e5ca6f4d569b05f7ebf9b41457
SHA1: b30351911491fcf8809c1e469c80f393c506ef1d
SHA256: 4f6c96c12f72fbf6095fd8484f985d244d61b2153644430736e2d854790e644a
ssdeep: 6144:v83x+y+eLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhx4MWwblGwsPtIGacnW:vx7/dEWP3GxtJw4McpgDsPrakW
VirusTotal: https://www.virustotal.com/en/file/4f6c96c12f72fbf6095fd8484f985d244d61b2153644430736e2d854790e644a/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/MTQzMGIzYWNhYWYyNGNlNGI3NGM3ZTk0MTQ5ODkxOGY/

File name: SteamTradeHacker-v.3.6.exe
File size: 257.0 KB ( 263168 bytes )
First seen: 2014-11-22
MD5: e834f7a3c508f24e29caf336e27d408d
SHA1: 8874a35610d391a493f21618a01d79976f6a2ba5
SHA256: 737d7ac17382252ce0f7bf185e54675d42568057c23917d58189c1b8c0065478
ssdeep: 6144:GYLZOFDdMbLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhx:5ZCp/dEWP3GxtJw4M
VirusTotal: https://www.virustotal.com/en/file/737d7ac17382252ce0f7bf185e54675d42568057c23917d58189c1b8c0065478/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/YjBmMGU5OWY2NTczNDZlNGIzYzE1MDYzYTAxY2ZjYjY/

File name: Stub.exe
File size: 354.5 KB ( 363008 bytes )
First seen: 2014-11-29
MD5: dc88276de2ad28c7af2578e7f691b285
SHA1: 17bd2037abcc9a248cfb3e991be3e6e73bcfad18
SHA256: 4016e2a60be405e610245db9a87c807354c51db557a49103520f69b280f338dc
ssdeep: 6144:DIqY6P0o2WU0dLq/dEWPSWpNJ+ulGtfxqr6WB4F+tbhxtq4i3:cqYjocZ/dEWP3GxtJw4Mxq1
VirusTotal: https://www.virustotal.com/en/file/4016e2a60be405e610245db9a87c807354c51db557a49103520f69b280f338dc/analysis/
Malwr (Downloadable sample): https://malwr.com/analysis/N2YxZDU3M2M1YzdkNDIzOGE2Mjk3ZjQ0MGM3YjYwYjY/

By admin