Latest Steam Malware Shows Signs of RAT Activity

We have been alerted to a recent Steam scam, thanks to one gamer who is quick to inform her friends in the gaming platform’s Activity feed about her encounter with a suspected bot account.

Gamer Patrizza Vampizza has posted the below screenshot as a form of warning for this current  modus operandi:

steam-bot-mod
click to enlarge

Hey! We had a competition in the group pressureskin! Prizes - [URL]

You have been selected one of 10 random winners!

Choose any 5 item from the list on the screen!!

“Pressure” Skin is actually quite a popular group on Steam with members numbering to thousands. Like Patricia, it appears that others within the group have received the same messages but from different private accounts. They may indeed be bots, but it’s possible that they are also compromised accounts currently being used to spread the malicious link via Steam chat.

When users click the URL on the spam message, which is ptrnscr[DOT]su/jE8j3L/, they are directed to this page and the file, Screenshot_3.scr (MD5 FCA73DC665FF51022A7291B76B554809), is automatically downloaded from the Box file-sharing site account:

ptrnscrclick to enlarge

On the desktop, this .src file looks like this (enlarged for better visibility):

fake-screenie

The blue squiggles you see are part of the image.

Once executed, affected users won’t see anything happening on their desktop as much of the action occurs at the background. They won’t see Screenshot_3.scr reading information about the system; or dropping several files, two of them malicious; or preventing the system from prompting messages to them due to errors; or connecting to an IP address in Russia via a port normally used by the DarkComet RAT. And there is a lot of material on the Web that have been available for more than a couple of years now on how one can steal Steam credentials via this particular malware. As such, it’s not really a very new tactic; however, it is a tactic hardly known to most users.

If you want to read more of the technical stuff about this Screenshot_3.scr, you can go to this Hybrid Analysis page.

Malwarebytes Anti-Malware detects the malicious .scr file as Trojan.Crypt.RV. Users are also protected from accessing the download site.

We have been featuring Steam malware distributed via chat for quite a while now. Yet, we continue to see users fall for the same tactic. To date, more than 1,500 have clicked ptrnscr[DOT]su/jE8j3L/, thinking that it is actually sent to them by a fellow Steam member. Below is a geographical breakdown of these clicks, courtesy of Bitly:

click-statsclick to enlarge

Never click links from messages sent over your way, especially if it’s packaged as some sort of contest, without checking other sources of the message’s legitimacy. “Trust, but verify,” as they say, and we would be wise to do so. Furthermore, the Steam community must continue to look after yourselves and each other by reporting suspicious accounts to Steam and telling your friends about them.

For those who think they have been hacked, please change your password and we encourage you to tell your Steam friends about your experience.

Stay safe!

Further reading(s):

Jovi Umawing