Yesterday, I stumbled on a post where a Reddit user named Haydaddict was alerting people about some hacked Steam accounts spreading malware. As I am always interested in new malware, I took a look to see what could be discovered.
According to the post, the hacked accounts were being used to SPAM suspicious links using Steam chat. These chat messages would tell the recipient to go to videomeo.pw to watch a video.
When the target went to the page, they would be greeted with a message stating that they needed to update Flash Player in order to watch the video.
If a target downloads the installer and executes it, they will find that it does not appear to do anything. This is because the Flash Player installer is actually a Trojan that executes a PowerShell script called zaga.ps1, which will download a 7-zip archive, 7-zip extractor, and a CMD script from the zahr.pw server.
Once the files are downloaded, the PowerShell script will then launch the CMD file, which will extract the sharchivedmngr to the %AppData%\lappclimtfldr folder and configure Windows to automatically start the mcrtvclient.exe program when a user logs in. This program is actually a renamed copy of the NetSupport Manager Remote Control Software.
When the program is launched, it will connect to the NetSupport gateway at leyv.pw:11678 and await commands. This allows the attacker to remotely connect to the infected computer and take control over it.
For those who are concerned they are infected with this Steam Trojan, I suggest they check the %AppData% folder for the specified folders.
Furthermore, all users must be careful with what links they visit and what downloads they install. These days it is becoming more and more frequent for accounts to be hacked and then for attackers to use them to distribute malware. Stay vigilant, be careful, and make sure you have an antivirus software installed.
Comments
Starkman - 8 years ago
Hey, thanks very much for the information. Much appreciated.
blueicetwice - 8 years ago
Thank you for the excellent piece, Mr Abrams!
Also wishing you well in your bleeping lawsuit.
granada12 - 8 years ago
This is a new varient. Last year one of my steam friend send me a message with a link in it. But it was automated not remotely operated.
Never you should have your information automatically fill in or saved. You never know he could send a great gift to him passing through your wallet. :p
Pugglerock - 8 years ago
It's where the two step authentication comes in handy. I have steam on my phone for Steam Guard, so if someone does unfortunately manage to get a hold of my details, they won't be able to log in without the code generated from my phone.
granada12 - 8 years ago
"It's where the two step authentication comes in handy. I have steam on my phone for Steam Guard, so if someone does unfortunately manage to get a hold of my details, they won't be able to log in without the code generated from my phone. "
True, i'm setup that way too. Very usefull. :-)
FilledWithHate - 8 years ago
I wonder if having set the "ExecutionPolicy" in PowerShell to "Restricted" would have helped. Windows 10 brilliantly comes WFO in that regard. I'm not advising anyone to do the same, but I ran "Set-ExecutionPolicy Restricted" and left it that way.
Daedalus_ - 7 years ago
What if I downloaded the installer on mobile but didn't run it?
Lawrence Abrams - 7 years ago
Then you are fine. Malware cannot hurt you unless its executed in some way.