Latest Steam Malware Shows Signs of RAT Activity

We have been alerted to a recent Steam scam, thanks to one gamer who is quick to inform her friends in the gaming platform’s Activity feed about her encounter with a suspected bot account.

Gamer Patrizza Vampizza has posted the below screenshot as a form of warning for this current  modus operandi:

click to enlarge

Hey! We had a competition in the group pressureskin! Prizes - [URL]

You have been selected one of 10 random winners!

Choose any 5 item from the list on the screen!!

“Pressure” Skin is actually quite a popular group on Steam with members numbering to thousands. Like Patricia, it appears that others within the group have received the same messages but from different private accounts. They may indeed be bots, but it’s possible that they are also compromised accounts currently being used to spread the malicious link via Steam chat.

When users click the URL on the spam message, which is ptrnscr[DOT]su/jE8j3L/, they are directed to this page and the file, Screenshot_3.scr (MD5 FCA73DC665FF51022A7291B76B554809), is automatically downloaded from the Box file-sharing site account:

ptrnscrclick to enlarge

On the desktop, this .src file looks like this (enlarged for better visibility):


The blue squiggles you see are part of the image.

Once executed, affected users won’t see anything happening on their desktop as much of the action occurs at the background. They won’t see Screenshot_3.scr reading information about the system; or dropping several files, two of them malicious; or preventing the system from prompting messages to them due to errors; or connecting to an IP address in Russia via a port normally used by the DarkComet RAT. And there is a lot of material on the Web that have been available for more than a couple of years now on how one can steal Steam credentials via this particular malware. As such, it’s not really a very new tactic; however, it is a tactic hardly known to most users.

If you want to read more of the technical stuff about this Screenshot_3.scr, you can go to this Hybrid Analysis page.

Malwarebytes Anti-Malware detects the malicious .scr file as Trojan.Crypt.RV. Users are also protected from accessing the download site.

We have been featuring Steam malware distributed via chat for quite a while now. Yet, we continue to see users fall for the same tactic. To date, more than 1,500 have clicked ptrnscr[DOT]su/jE8j3L/, thinking that it is actually sent to them by a fellow Steam member. Below is a geographical breakdown of these clicks, courtesy of Bitly:

click-statsclick to enlarge

Never click links from messages sent over your way, especially if it’s packaged as some sort of contest, without checking other sources of the message’s legitimacy. “Trust, but verify,” as they say, and we would be wise to do so. Furthermore, the Steam community must continue to look after yourselves and each other by reporting suspicious accounts to Steam and telling your friends about them.

For those who think they have been hacked, please change your password and we encourage you to tell your Steam friends about your experience.

Stay safe!

Further reading(s):

Jovi Umawing

Apple’s Workflow For Enterprise iOS App Distribution Vulnerable To Attack

Millions of iPhones and iPads running iOS 9 can be exploited if enrolled in mobile device management, Check Point Software says.

Security vendor Check Point Software Technologies has sounded the alarm on an apparent weakness in Apple’s application distribution workflow for enterprises that it says gives attackers an opening to install malware on iPhones and iPads used by enterprise users.

The SideStepper flaw affects iOS 9 devices enrolled with an enterprise Mobile Device Management (MDM) system and can be exploited to take complete control of vulnerable devices, Check Point warned. Potentially millions of iOS 9 devices enrolled in enterprise MDM systems are vulnerable to attack.

In a white paper, Check Point researchers Avi Bashan and Ohad Bobrov described the flaw as enabling adversaries to execute a man-in-the middle (MITM) attack for intercepting communications between a managed iOS device and the MDM server. Such an attack would allow threat actors to install malware of their choice on a vulnerable device and take full control of it without the user’s knowledge.

But in order to pull it off, an attacker first must compromise the user’s device.

The SideStepper vulnerability exists in the process that Apple offers to enterprises for installing internally developed iOS applications on iPhones and iPads.

Typically, users who want to download an iOS app can only get it through Apple’s official App Store, unless of course they have jailbroken their device. All apps in the App Store go through a thorough security review and vetting process and are digitally signed by Apple before they are available for download. Usually, only Apple-signed applications can run on non-jailbroken iOS devices.

Apple offers an Apple Developer Enterprise program for organizations that want to develop and install their own iOS apps without having to go through the company’s usual vetting process. For such organizations, Apple offers a signed enterprise certificate that can be used to sign internally developed iOS apps so they can be installed on enterprise iPhones and iPads.

Such enterprise certificates have been frequently abused in the past to distribute malicious and pirated applications. As Bashan and Bobrov note in the white paper, third-party app stores have in the past registered themselves as legitimate enterprises with Apple in order to obtain signed enterprise certificates from the company, which they have then used to distribute third-party apps.

In 2015, the issue gained considerable attention when the Hacking Team took advantage of an Apple enterprise certificate it owned and a previously discovered flaw dubbed Masque Attack to distribute a malicious app to devices running iOS versions 8.1.3 and earlier.

In order to address the shortcomings, Apple introduced some tighter security measures for enterprise app installation with the release of iOS 9, the two security researchers said. Enterprise users for instance have to go through a “maze of settings screens” to confirm the app’s developer when they want to install an enterprise iOS app on their devices for the first time, they said.

“Apple did leave a loophole, however,” according to Bashan and Bobrov. “iOS natively trusts any app installed by MDM solutions, which are exclusively used by businesses.”

So by intercepting communications between a managed iOS device and the MDM server, an attacker could install malware over-the-air on devices running iOS 9. In order to exploit the SideStepping weakness using an MITM attack, however, an attacker would first need to find a way to compromise a user system and get it to route traffic to a malicious server. Such a compromise can be accomplished via a phishing attack, Check Point said.

“The vulnerability is actually in the way Apple implemented this fix for making enterprise apps more difficult to install,” says Avi Rembaum, vice president of security solutions at Check Point. The changes that Apple made in the app distribution workflow with iOS 9 adds several steps intended to make it clear to the user that he or she is doing something that’s not typical behavior for an average user, he says.

“[But], it doesn’t address over-the-air installation of malicious enterprise apps should an attacker stage a MITM attack on a device’s communication with an MDM,” he says.

Attacks of this type theoretically could be exploited on a mass scale, Rembaum says. “But it’s more likely that it’d be used to target a specific individual, or groups of individuals.”

Check Point says it informed Apple of the problem in October 2015.  “Apple responded in November 2015 that the behavior the research team demonstrated ‘is expected,’” Check Point said.

Related Stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

Symantec: Financial Trojans Declined By 73% In 2015

Symantec detected far fewer financial Trojans in 2015 and saw cybercriminals focus more of their efforts directly on financial institutions.

Symantec detected 73 percent fewer financial Trojans last year, and a surge in targeted malware incidents. 

The drop in financial Trojan infections in 2015 came amid a 232% increase since 2014 in malware families targeting some 93 organizations, according to Symantec’s newly published Financial Threat 2015 report.   

Candid Wueest, principal threat researcher with Symantec’s security response team, warns that the drop in detections does not mean financial Trojans will soon be a thing of the past, however.

“Unfortunately, that’s one of the most misleading [findings] because you can think the problem is going away,” he says. Detections of financial Trojan infections still continue to decrease this year, but Wueest says it’s may be because attackers are getting better at infiltrating the right targets that yield the most success in defrauding accounts.   

Another significant finding from the research, says Wueest, is a shift in where attackers strike: More cybercriminals are directly targeting the financial institutions themselves rather than their bank customers. The recent attack on Bangladesh’s central bank that resulted in the loss of $80 million, is one example of that trend, according to Wueest.

The average number of targeted URL patterns per sample found by Symantec was 283 in 2015, an increase of 405% — meaning that every financial institution could be a target, Wueest says. 

The decrease in detected financial Trojans could also be attributed to better overall detection capabilities of security software, Wueest says. “We would block it before we would even know there would be a financial Trojan download,” he says.

Recent takedowns by the FBI and the European Cybercrime Task Force also may have affected the decline in the number of financial Trojans detected — including the shutdown of a few Dridex networks in October and a Dyre group takedown in November in Russia. 

But Kurt Baumgartner, principal security researcher at Kaspersky Lab, says his firm saw an increase in financial Trojan infections in 2015 and is also seeing that trend continue in 2016.

“According to our data, more folks around the globe are getting duped into attempting to run financial Trojans on their systems. This statistic seems to be the most significant, because it tells us that crooks are getting smarter about how they are getting financial Trojans in front of people,” Baumgartner says.

Ransomware is on the rise, as is the number of ransomware families being developed. “In addition, the sheer volume of ransomware being deployed increased, whether it was through spam, compromised servers, or malvertising,” Baumgartner says. 

Symantec’s Wueest also notes that an increase in ransomware could have influenced the drop in the number of financial Trojans detected. “The group behind Dridex … they actually started to send out ransomware instead of the financial Trojan and we suspect that there might be one or two other groups that started to do this as well,” he says, adding that this is not a new phenomenon. 

The tactics of cybercriminals using financial Trojans haven’t evolved much in the last couple of years, he says. “They’re still mostly using man-in-the-browser attacks” as well as business email compromise (BEC) attacks, he says.

While financial institutions are getting better at detecting fraudulent transactions and law enforcement is working together with the security industry to go after cybercriminals, at the end of the day,Wueest says, it’s important to remember that the tactics cybercriminals use to get Trojans onto financial systems are not rocket science.

“It’s still that a lot of people are naïve, maybe even gullible, and should probably be more vigilant when they do transactions online,” Wueest says. 

Related Content:

Emily Johnson is an Associate Editor on UBM America’s Content Marketing team. Prior to this role, Emily spent four and a half years in content and marketing roles supporting the UBM America’s IT events portfolio. Emily earned her B.A. in English from the University of … View Full Bio

More Insights

When It Comes To Cyberthreat Intelligence, Sharing Is Caring

Shared cyberthreat intelligence will soon be a critical component of security operations, enabling organizations to better protect their digital assets and respond more quickly to emerging threats.

On March 17, the US Department of Homeland Security announced the deployment of the Automated Indicator Sharing (AIS) system, which allows the exchange of cyberthreat intelligence among private and public organizations. Increasing the breadth and speed of information sharing will reduce the number of security compromises, enabling all types of organizations to better defend themselves against emerging threats.

There is almost unanimous agreement among security professionals that cyberthreat information is valuable to their organizations. However, as we dig deeper into the attitudes and implementation barriers to sharing that information, we find myths and significant reticence.

First, let’s define cyberthreat intelligence and dispel a significant myth. Cyberthreat intelligence comprises details and metadata about suspicious and malicious activity, including attack vectors, weaknesses that are being exploited, and mitigation or containment actions. It does not contain any personally identifiable information, even when sharing a file reputation.

Next, let’s look at which threat and reputation data people are willing — and unwilling — to share. Intel Security recently surveyed almost 500 security professionals globally and found that about three-quarters of those involved with and knowledgeable about cyberthreat intelligence sharing are willing to pass on information about the behavior of observed malware. Malware details have been shared for a long time, typically with an incumbent vendor or nonaligned security organization. What is surprising is that this figure is not closer to 100%. 

Around half of the security professionals surveyed are also willing to share reputation info on URLs, external IP addresses, and security certificates. This increased reluctance to share is typically attributed to company policy or industry regulations and often comes from concerns about legal repercussions from the entities that are identified as being potentially malicious.

Finally, only about one-third are willing to share file reputations, probably due to concerns about accidentally releasing some sensitive or confidential information in the file. Yet cyberthreat intelligence-sharing systems calculate a unique one-way hash to represent the file that is being convicted — this is the only data that leaves the corporate system — and the file cannot be recreated in any way using this value.

Sharing More Valuable Than Secrecy

Increasing support for cyberthreat-intelligence technical standards will help people understand exactly what is and is not included in a threat record and will broaden industry implementations. Although some organizations believe they stand a better chance of identifying and catching bad guys by themselves if they keep the attack details private, more and more realize that the changing nature of attacks makes sharing more valuable than secrecy. Standardization will also make it easier to combine and correlate multiple discrete observations into a larger and more accurate picture of a particular threat.

Catching modern, adaptive attacks is difficult for traditional endpoint and firewall defenses working in isolation because the attacks often mutate every few hours or days, faster than signature updates and scanning tools can keep up. The trend toward targeted attacks is also increasing interest in industry-specific cyberthreat intelligence. Although there are still barriers to overcome before cyberthreat intelligence sharing is widespread, those barriers are falling as successes are publicized and regulations are enacted to provide liability protection. Within a couple of years, shared cyberthreat intelligence will be a critical component of security operations, enabling organizations to better protect their digital assets and respond more quickly to emerging threats. 

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He’s also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent’s team … View Full Bio

More Insights