Malware poses as an image file, connects Czech Republic IP

Nov 17, 2014 10:56 GMT  ·  By

A piece of malware aimed at stealing Steam account credentials has been making the rounds targeting gamers through the platform’s chat client for at least a week, being delivered from a Google Drive account that is still active.

It’s no secret that the vigilance of gamers on Steam is constantly tested by luring them to click on malicious links posted in the chat box.

Some users are quick at spotting the attack and stay away from the URLs, but others do fall victim to such attempts and end up with their Steam account being hijacked.

An obvious scam can still make some victims

The scam is quite simple and it is encountered on Steam more often than one would like. A gamer known as Onyx showed in an entry on Tumblr the standard approach used by the attackers: a simple message claiming to be from someone known to the potential victim entices to click on a link (oftentimes shortened) under the pretext to find more info about the alleged friend.

The URL in fact leads to malware, which, once installed on the system, steals the log-in data for the Steam account, according to Bart Blaze, malware researcher at Panda Security, who analyzed the sample and provided a technical overview in a blog post on Sunday.

Blaze explains that the malicious link proceeds to download a screensaver file (SCR), which is an executable, from Google Drive; the SCR purports to be a picture and even has an image as the file icon.

“Note that normally, the Google Drive Viewer application will be shown and this will allow you to download the .scr file. In this case, the string ‘&confirm=no_antivirus’ is added to the link, which means the file will pop-up immediately asking what to do: Run or Save. (and in some cases download automatically),” he writes.

Most antivirus solutions protect against it

The file has been reported by the researcher on Sunday, but it appears that no action has been taken against it by now because it is still available in the Google cloud.

Luckily, most reputable antivirus solutions detect it and prevent its download on the computer. 37 out of 55 antivirus engines on VirusTotal have no trouble quarantining it on the spot.

In the researcher’s analysis, it is noted that the malware connects to a server hosted in the Czech Republic, where the stolen information is probably uploaded.

Signs of the Steam account log-in information compromised via this threat consists in the presence of a process named “temp.exe,” “wrrrrrrrrrrrr.exe,” “vv.exe,” or one with a random name running on the system; this can be checked with Task Manager.

In case of compromise, users are recommended to immediately change the password for the Steam account and scan the system with a reputable antivirus.

Photo Gallery (5 Images)

Bait for Steam user to click on malicious link
Malware tries to pass as an image fileDebug path contains steamstealer string
+2more