Steam malware is becoming a lucrative business

Mar 15, 2016 14:46 GMT  ·  By

A joint research between Kaspersky Lab and Bart P, an independent security researcher that has a history of unmasking Steam-targeting cybercrime campaigns, provides some insight on how most of today's Steam Stealer malware works, along with the social engineering behind it.

While in Steam's first years malware was timid and very rare, things escalated after Valve introduced in-game trades and auctions, giving users and criminals a reason to bother themselves with thinking up ways to steal from other players.

This has led to the proliferation of Steam-targeting malware, Steam saying in December that it receives around 77,000 complaints per month about various types of account hacking.

Steam malware is extremely cheap

Another reason for this rise in "Steam crime" is the malware's low price. If by chance you're ever going to visit an underground forum these days, you're going to find that so-called Steam Stealers, malware specialized in stealing Steam login credentials or game inventory items, is some of the cheapest malware you'll find online.

With most prices being in the $1-10 range, rarely going above $30, Kaspersky says that "buying a stealer on a shady Internet forum can cost more in time than in money."

First of all, researchers are saying that most of the "Steam hacking" services these days are offered as MaaS, or Malware-as-a-Service, where criminals provide the malware and the infrastructure it runs on, leaving the malware's distribution to the buyer, with whom the operator shares the profits afterward.

Researchers are saying that most of the Steam Stealer malware families are quite simple, and the real place where the difference is made amongst them is in the social engineering tricks employed by each criminal group to spread their malware.

Most of these campaigns usually target users in a certain country, often limited only to one game at a time, rarely two or three, but all related with each other in some way.

Criminals are targeting people interested in accelerating the Steam trade process and are using a wide variety of tactics. Most criminal groups are from Eastern Europe and Russia, and in most cases, they have targeted Counter-Strike: Global Offensive, one of Steam's most popular games, where inventory goods are often traded and bought via auction (bidding) sites.

But what are the most frequent techniques seen in today's Steam Stealer malware?

Kaspersky has seen multiple trends in Steam Stealer distribution and mode of operation. These trends are constantly evolving, mainly to avoid detection by security products, but also because users are also educating and protecting themselves as some distribution scams become more popular than others.

In the past, Kaspersky has seen Steam Stealer malware families evolve from using no type of security measures to protecting their code using obfuscators, to employing fake TeamSpeak or fake game servers to promote themselves, using PasteBin links to download the actual malware payload, and to using Dropbox, Google Docs, Copy.com to host their malicious code.

Steam Stealer malware also gained the ability to bypass Steam's CAPTCHA utility and even added support for NetSupport, a remote control software package that helped Steam Stealers evolve from ordinary information-stealing malware to complete RATs (Remote Access Trojans).

Additional past trends included the usage of sites made to look like Imgur, LightShot or SavePic, sites where gamers usually host their screenshots, and also malware-laced binaries for popular VoIP communication software like TeamSpeak and RazerComms. All of these are well-documented, and most users have eventually learned to avoid, downloading software only from their official homepage.

Steam Stealers are evolving into full-blown RATs

Today, Kaspersky is saying that Steam Stealer gangs have evolved to using AutoIT wrappers to make analysis and detection harder and also to using fake gambling sites, including fake deposit bots. These trends are a natural evolution, and are keeping users and researchers on their toes.

Other recent trends, on which even we reported recently, include the usage of Chrome extensions to carry out the inventory thefts via JavaScript on game item gambling sites. Most players have started becoming immune to this trick though, since most of them have learned that there's no secret way around Steam's new trade protection features.

Another recent trend also saw Steam Stealer malware operators working hard to integrate their malicious code with full-blown RATs like NanoCore or DarkComet, previously seen only in advanced cyber-espionage and financial theft campaigns. But at this point, if a Steam Stealer gains the ability to spy on the whole system, it's not a Steam Stealer anymore, and you can just call it an RAT with a Steam module.

As it looks right now, Steam Stealer malware is reaching the same maturity and complexity levels seen in other malware, even if its operators are still using it to steal petty things such as fictitious game items.

Its low price also serves as a reason for some teenagers to experiment with malware distribution and, unfortunately, pave the way for a future career in cybercrime.

If you're curious to find out more details about Steam Stealers in general and their distribution campaigns, we recommend taking a look at the Steam Stealers report.

The control panel of the Coailii Steam malware
The control panel of the Coailii Steam malware

Photo Gallery (2 Images)

Website advertising the Steam Predator malware
The control panel of the Coailii Steam malware
Open gallery