Back in the end of November I started to spot some steam stealing malware in a backdoored Mumble installer:
— Yonathan Klijnsma (@ydklijnsma)
Samples of these kind of stealers appeared more and more often. Around half of December I ended up with 14 unique samples that were actively spread around (see the end of this post for hashes and downloads for these samples):
All of them except one are around 250kb or more in size. Only one sample, called ‘SteamDouble.exe’, was 69kb in size:
File name: SteamDouble.exe
File size: 69.0 KB ( 70656 bytes )
First seen: 2014-12-07
Malwr (Downloadable sample): https://malwr.com/analysis/NDQwMzE3ZTI4OTc5NGZkYmI4MDc4YzhhNDMwOGFmNjA/
The ‘SteamDouble.exe’ sample came from a link originally send in a Steam chat message. The text of the message was: “”lol, wtf? http://img-pic[.]com/image612_14[.]jpeg”. When visiting this link the server on the other end responded with:
HTTP/1.1 301 Moved Permanently
Date: Sun, 04 Jan 2015 14:15:03 GMT
Content-Type: text/html; charset=iso-8859-1
This was a redirect towards a Google shortlink: “goo[.]gl/QaidJm”. In turn this shortlink redirects towards ‘steamdouble[.]com’ website:
It advertises the so called ‘CS:GO Skin Duplicator’. The files for this tool are hosted on a filesharing service from russia called ‘exfile.ru’. The website itself also features a video showing the usage of the tool:
The video shows a tool which allows, as the tool’s name says, a user to duplicate CS:GO items. In the video it links to ‘csgoskinduplication[.]com’ this is the exact same website as ‘steamdouble[.]com’. The sample I grabbed back when I first saw this appear was not obfuscated or crypted. The current version available from the site has a crypted fake DLL which is decrypted and then ran. This payload is the same one I will be showing in the further analysis, just packed/crypted. It seems when the guy behind this first started he didn’t seem to care about packing/crypting his payload.
The ‘SteamDouble.exe’ payload is written in C#. Throwing it in a tool like ILSpy gives us a nice set of source code files especially because the author didn’t obfuscate any of the code. Just by looking at the project title ‘Stealer’ and the folder names inside the project like ‘SteamStealer’ it gives us a clear indication of what this sample does:
The first folder named ‘Steam4NET’ contains a modified, stripped or old version of the Steam4NET open source .NET wrapper around the Steamworks C++ interfaces hosted on Github: https://github.com/SteamRE/Steam4NET
Looking at the main function we see the first thing it does is download an image which is stored in the appdata folder and shown to the user:
The image that is downloaded and displayed shows a screenshot of a russian DOTA2 account with the items it has available. (The original message send on Steam chat was an ‘image’ link so this makes sense to hide its real purpose). The downloaded image:
The second part of the main function is where the actual ‘Steam stealing’ takes place:
First it creators a new SteamWorker and adds an ‘offer’ which is used to trade items. The Steam cookies are parsed and as long as there are Steam cookies (aka the user is logged in to Steam) it will perform the ‘Spam.SpamInFriendList’ function which contains the message which got me on the sample in the first place “lol, wtf? http://img-pic[.]com/image612_14[.]jpeg”.
After this it adds the items it wants to steal which is a long list of items this guy is interested in. The last step is where it actually sends the item to trade to his own account. On the other end the guy only has to accept the trade offers (or have some automated way of doing it) and the items will belong to him. Very simple but an effective way of stealing items.
Going back to the original ‘addOffer’ function if we look at the arguments it expects we can find who is behind this (or at least the account used for the malicious trading):
The first argument to this function is the user’s Steam ID. This can be put in a SteamCommunity URL to go the user’s profile. The URL for this is: ‘http://steamcommunity.com/profiles/
On the bottom the user commented some trade URL’s with the ID and token, these are the same items used for the ‘addOffer’ function’s 2nd and 3rd argument.
Looking at this user’s inventory it doesn’t show a very big amount of items but it could be this is just a middle-man account used to trade the items further:
Another interesting thing from this profile is the comments it leaves on some other gamer’s profile:
The comment is pretty much the same message it spams around via the Steam chat ‘Spam.SpamInFriendList’ function.
This sample stood out and appears to be a custom thing created by a criminal specifically for his needs. The other samples however did not match this sample, not only by size.
The Steam Stealer Extreme service
From the 14 samples I obtained the ‘SteamDouble’ sample stood out of the bunch due to the size. The other 13 are all around 250kb in size.
Throwing any of the 250kb and bigger samples into ILSpy gives us the same decompilation structure:
This tells me its the same tool/stealer used in all of these samples. Looking at the function inside the decompiled code we see similar functionality as with the ‘SteamDouble’ Stealer:
It can gather the Steam cookie, add items to be stolen, post comments (on profile pages) to spread and also has two functions indicating of a spreading mechanism towards friends (be it Steam chat or profile comments): ‘SpreadToFriends’ and ‘SpreadToFriendsUsingChat’.
Just by looking at these functions we get a clear picture of what the purpose is of this malware. The builder used for these samples does obfuscate some of the code which causes some trouble for the decompiler. Of course it can be fixed but seeing as the purpose of this thing is already clear I’m not going to waste time on cleaning all the samples.
The more interesting question here is what is ‘Steam Stealer Extreme’. By simply googling for it you can find the ‘sales’ website located at steamstealer[.]com, steamstealer[.]org and steamstealer[.]net. It has the title ‘Steam Stealer Extreme’ which is marketed as ‘Revolutionizing the Steam Item Stealing Industry’, erhm… yes.
An about section details some more information on ‘the product’:
Steam Stealer Extreme is the new Steam Stealer completely custom coded (you can PM us and get some proof if you want!) and functions well. Steam Stealer Extreme is not like other steam stealers which is based off the same code as found on the Russian forum where it was leaked. It has extra features like filters (which are properly coded) and spreading your file via commenting on the client’s friends’ profiles * NEW * Spreads Via Chat! We’re a no bullshit product with little disadvantages. Our stealer does work and will work until Steam decide to patch the methods used. Steam Stealer Extreme is about getting the items you want and when you want.
They also have some video’s showing how it works on their YouTube channel: https://www.youtube.com/channel/UC7MjY8duE1xh-tTWpAsj_o
The site also contains an image of the ‘builder’ for the stealer:
A list of features for the stealer:
Information on how to purchase ‘Steam Stealer Extreme’, which is currently only available via Bitcoin payment:
And at the bottom there’s also some contact information:
Looking at the registration date of the website the .com, .org and .net websites for ‘Steam Stealer Extreme’ were registered on 2014-11-16 and all hosted on a VPS owned by OVH France at 184.108.40.206.
The email address ‘brynaldo8’ in the contact section from the site is ‘firstname.lastname@example.org’. Interestingly if you simply google for this email address you will find the following pastebin post which contains a database dump with the (hashed) password for ‘LaPanthere’ which is the name this guy goes by:
(Originally located at: http://pastebin.com/QaeS2D17)
The ‘LaPanthere’ guy also has a PasteBin account at http://pastebin.com/u/LaPanthere:
Combining ‘LaPanthere’ and ‘brynaldo8’ also shows a dump from a post by Brian Krebs about ‘ragebooter’ being hacked. The dump also contains the user details of ‘LaPanthere’ but with a hotmail.com email address instead of gmail.com:
(Original dump located at: http://krebsonsecurity.com/wp-content/uploads/2013/08/ragebooter.txt)
Finding this guy’s Steam profile is also easy, it actually matches the avatar from the PasteBin account. (Steam profile: http://steamcommunity.com/id/lapanthere):
This show’s ‘LaPanthere’ is an Australian guy.
I won’t go any further into this person’s identity as I’m not here to make personal allegations against someone. All I am going to say about it is that this person is rather sloppy with what he’s leaving behind as a trail. Finding out ‘LaPanthere’’s real identity is not that hard and only a few steps away from what I’ve shown.
I would expect a bit more from someone running a service like this, but keeping in mind his public profile(s) are on hackforums and leakforums it says enough :).
As for the ‘Steam Stealer Extreme’ malware going around, just don’t start running everything being send to you via chat messages or comments. Would you have your items stolen send a message to the Valve support staff explaining your situation, they will be able to help you out.
Detection wise, Antivirus products are still somewhat behind on detecting this one properly but its getting there (slowly).
All the samples I’ve shown are available for download from Malwr, see the next section for details and links to all the files, enjoy!
Steam Stealer Extreme samples:
Note: These are not all the Steam Stealer Extreme samples out there. These are just the ones I found when focusing on find out what they were and where it came from back in November through December 2014.
File name: Cracked SSE Builder.exe
File size: 363.5 KB ( 372224 bytes )
First seen: 2014-11-25
Malwr (Downloadable sample): https://malwr.com/analysis/MWNkYWQwYmRjZGQ3NGUyNWJmZDY5ODA2YTgwOTQ3Nzc/
File name: CSGO Hack v1 – Coded by Empathy.exe
File size: 355.0 KB ( 363520 bytes )
First seen: 2014-12-03
Malwr (Downloadable sample): https://malwr.com/analysis/YmEzYzBkOWNmYWIyNGEwZjgyOGYyMTdhMDljNGFjOGQ/
File name: CSGO Multi-Hack by LionHacks.exe
File size: 499.0 KB ( 510976 bytes )
First seen: 2014-11-26
Malwr (Downloadable sample): https://malwr.com/analysis/ZWM1NTcxYWYwOWIwNDhlZGEwNTdjNWQzMWJlNTA4NDI/
File name: CsgoSound.exe
File size: 282.2 KB ( 289002 bytes )
First seen: 2014-12-03
Malwr (Downloadable sample): https://malwr.com/analysis/NjFkY2Q2OGM4OTBiNDNlNjhjMmMzYTY3Nzg0NmM5MDI/
File name: Easy Trader.exe
File size: 445.0 KB ( 455680 bytes )
First seen: 2014-11-20
Malwr (Downloadable sample): https://malwr.com/analysis/MjM4NWNmMWI2YTg3NDdiMTgxYjcwYWJiOTc0MGUxYWU/
File name: ESAntiCheat.exe
File size: 257.5 KB ( 263680 bytes )
First seen: 2014-11-25
Malwr (Downloadable sample): https://malwr.com/analysis/MzBiMDJlYmEwNTkwNDE0MDliMjdmNTdhMDcyZTRjOGE/
File name: HashChanger.exe
File size: 544.0 KB ( 557056 bytes )
First seen: 2014-11-23
Malwr (Downloadable sample): https://malwr.com/analysis/MTllYWE2NzM4NWYwNGE1M2IyZDkxNjJmNjk2NjZmZmM/
File name: Knife Exploit.exe
File size: 444.0 KB ( 454656 bytes )
First seen: 2014-11-29
Malwr (Downloadable sample): https://malwr.com/analysis/YWIyMGY0OWZhNTUyNDVjY2EyYjgxNTE1MmEzNDgzNDg/
File name: SSBuilder.exe
File size: 619.0 KB ( 633856 bytes )
First seen: 2014-11-29
Malwr (Downloadable sample): https://malwr.com/analysis/NzgyYWNhN2I1ZjM4NGUwMDgzYTRkNjViNmYxYWMyOWI/
File name: SSE_Stealer_76561197960568995.exe
File size: 253.0 KB ( 259072 bytes )
First seen: 2014-11-21
Malwr (Downloadable sample): https://malwr.com/analysis/ZTBhNjBjZjc5NWUxNDdiYTg3YzE2Yjc5YjlhNWE2MTc/
File name: Steam Inventory Stealer – Builder.exe
File size: 443.0 KB ( 453632 bytes )
First seen: 2014-11-21
Malwr (Downloadable sample): https://malwr.com/analysis/MTQzMGIzYWNhYWYyNGNlNGI3NGM3ZTk0MTQ5ODkxOGY/
File name: SteamTradeHacker-v.3.6.exe
File size: 257.0 KB ( 263168 bytes )
First seen: 2014-11-22
Malwr (Downloadable sample): https://malwr.com/analysis/YjBmMGU5OWY2NTczNDZlNGIzYzE1MDYzYTAxY2ZjYjY/
File name: Stub.exe
File size: 354.5 KB ( 363008 bytes )
First seen: 2014-11-29
Malwr (Downloadable sample): https://malwr.com/analysis/N2YxZDU3M2M1YzdkNDIzOGE2Mjk3ZjQ0MGM3YjYwYjY/