{"id":6521,"date":"2017-02-06T10:54:07","date_gmt":"2017-02-06T18:54:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/06\/news-349\/"},"modified":"2017-02-06T10:54:07","modified_gmt":"2017-02-06T18:54:07","slug":"news-349","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/02\/06\/news-349\/","title":{"rendered":"Watch Out For Fake Online Gaming Sites And Their Malicious Executables"},"content":{"rendered":"<p><strong>Credit to Author: <span id=\"author_name\">Lilia Elena Gonzalez Medina<\/span><span id=\"author_name\">Lilia Elena Gonzalez Medina<\/span> | Date: Mon, 06 Feb 2017 10:15:32 -0800<\/strong><\/p>\n<div class=\"entry\">\n<p>Every year during holiday seasons, the number of phishing websites increases. This is particularly true for online gaming distribution platforms. In some cases, users not only have their login credentials stolen, but they also end up downloading and executing malicious executables. As expected, the more popular a platform is, the more targeted it will be, which is why this research blog focuses on two malware samples obtained from fake Origin and Steam websites.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Fake Origin phishing website\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware001.png\" style=\"width: 969px; height: 577px;\" \/><\/p>\n<p align=\"center\">Figure 1. Fake Origin phishing website<\/p>\n<h2>Origin Malware Sample<\/h2>\n<p>In addition to phishing websites that steal user credentials, we also examined a number of blogs that were being blocked by the Fortiguard Web Filtering Service. The content of these blogs seemed non-malicious at first, but after looking at the source code we discovered obfuscated JavaScript that repeatedly redirected to a URL from a Russian website until an executable was downloaded. This process was supposed to take place without the user&rsquo;s intervention; however, due to a coding error the sample could not be download automatically, and the blog websites displayed this error instead:<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Malicious blog intended to download malware\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/weebly.png\" style=\"width: 1514px; height: 838px;\" \/><\/p>\n<p align=\"center\">Figure 2. Malicious blog intended to download malware<\/p>\n<p>Despite this, all the redirections still worked, and we were able to manually download a malware sample.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Fake Origin phishing website\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/downloadedfile.PNG\" style=\"width: 1043px; height: 685px;\" \/><\/p>\n<p align=\"center\">Figure 3. Downloaded malware sample<\/p>\n<p>All the malicious websites we examined had four things in common:<\/p>\n<blockquote>\n<ul>\n<li>They were all hosted in weebly.com<\/li>\n<li>They all contained obfuscated JavaScript<\/li>\n<li>They all included a variable with the strings &ldquo;ea+origin+download+slow&rdquo; or &ldquo;origin-mediafire&rdquo;<\/li>\n<li>This string was also found on the targeted URL, and the variable in which it was stored was later used as a parameter to download a malicious executable<\/li>\n<\/ul>\n<\/blockquote>\n<p align=\"center\"><img decoding=\"async\" alt=\"Obfuscated code found on the malicious websites\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware008.png\" style=\"width: 1018px; height: 444px;\" \/><\/p>\n<p align=\"center\">Figure 4. Obfuscated code found on the malicious websites<\/p>\n<p>In the case of the downloaded sample we collected, the malware was called <a href=\"https:\/\/virustotal.com\/en\/file\/807fc0e1c60a552ef96bb4e1eeed40f70cf309d8d82d8d8a48290f907d6e6b4d\/analysis\/1481325610\/\">QSc.exe<\/a>, just like the variable shown on the first script. It is detected as Riskware\/Kryptik.FKCR by the Fortinet AntiVirus service.<\/p>\n<p>Once the entire pattern was identified, it was easy to find similar websites. The list of affected websites can be found at the end of this blog. The downloaded file is categorized as aggressive Adware, not in terms of persistence, but because of the number of malicious executables that it downloads and executes.<\/p>\n<h3>Functionality<\/h3>\n<p>After executing, the sample malware created several files, including two shortcuts on the Desktop that redirected to different websites in the domain wait3sec.org. When examined, these website links redirected the user to online games. However, these games seem to have been removed.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Shortcuts created by the sample\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware010.png\" style=\"width: 753px; height: 305px;\" \/><\/p>\n<p align=\"center\">Figure 5. Shortcuts created by the sample<\/p>\n<p>Below is a list of other folders and files created, ordered by the executable that created them:<\/p>\n<p style=\"margin-left:1.0in;\">&nbsp;<\/p>\n<p>The file 969699066d18t7181076.dll uses two persistence mechanisms:<\/p>\n<blockquote>\n<ul>\n<li>It creates a task scheduled to execute daily, on every hour and at system startup. After it is executed, this DLL also creates other applications in C:WindowsTemp.<\/li>\n<li>It adds the property &ldquo;wd&rdquo; with its path to HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce.<\/li>\n<\/ul>\n<\/blockquote>\n<p>The sample Qsc.exe uses another persistence mechanism known as shortcut hijacking, which consists of replacing the shortcuts of Google Chrome, Mozilla Firefox, and Internet Explorer with new ones that, when clicked, execute a batch file that opens a malicious URL on the specified browser. The following files are created in %USERPROFILE%AppDataRoamingBrowsers:<\/p>\n<blockquote>\n<ul>\n<li>chrome.bat.exe<\/li>\n<li>firefox.bat.exe<\/li>\n<li>iexplore.bat.exe<\/li>\n<li>exe.emorhc.bat<\/li>\n<li>exe.erolpxei.bat<\/li>\n<li>exe.xoferif.bat<\/li>\n<\/ul>\n<\/blockquote>\n<p>Firefox.bat.exe and iexplore.bat.exe are copies of the legitimate browsers installed, whereas chrome.bat.exe is an older version of the legitimate Chrome installed.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Browser shortcuts created by the malware\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware012.png\" style=\"width: 890px; height: 217px;\" \/><\/p>\n<p align=\"center\">Figure 6. Browser shortcuts created by the malware<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Content of the batch files\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware014.png\" style=\"width: 901px; height: 654px;\" \/><\/p>\n<p align=\"center\">Figure 7. Content of the batch files<\/p>\n<p>After removing unnecessary characters, each batch file contains one of the following strings, depending on the target browser. Note that the URL on the commands varies.:<\/p>\n<blockquote>\n<p>start &ldquo;&rdquo; &ldquo;c:PROGRA~1MOZILL~1firefox.exe&rdquo; hxxp:\/\/ic.loadblanks.ru\/c\/02037a282dd7fbaf?&rdquo;<\/p>\n<p>start &ldquo;&rdquo; &ldquo;c:PROGRA~1INTERN~1iexplore.exe&rdquo; hxxp:\/\/ic.loadblanks.ru\/c\/02037a282dd7fbaf?&rdquo;<\/p>\n<p>start &ldquo;&rdquo; &ldquo;c:PROGRA~1googlechromeAPPLIC~1chrome.exe&rdquo; hxxp:\/\/ic.loadblanks.ru\/c\/02037a282dd7fbaf?&rdquo;<\/p>\n<\/blockquote>\n<p>Finally, the sample run.exe drops DLLs in C:ProgramData, creates firewall rules to allow incoming connections to rundll32.dll, and schedules tasks to execute the dropped DLLs every hour, every day.<\/p>\n<h2>Steam Malware Sample<\/h2>\n<p>From time to time, Steam platform users receive fake emails or chat messages pretending to be from Steam trying to trick them into giving away their credentials or downloading malware. In fact, it&rsquo;s not too hard to find a sample due to the many complaints and warnings about this problem on videogame forums. According to users, the most common tactics used by attackers to convince users to click on malicious URLs include: claiming to have a <a href=\"http:\/\/steamcommunity.com\/sharedfiles\/filedetails\/?id=717266575\">video<\/a> or picture that includes the victim or contains something shocking or funny, adding a <a href=\"http:\/\/jcsocal.blogspot.mx\/2014\/12\/steam-phish-and-broken-malware.html\">friend<\/a> to their accounts, and fake <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2014\/11\/rogue-scr-file-links-circulating-in-steam-chat\/\">trade offers<\/a>. And although Steam works hard to <a href=\"https:\/\/support.steampowered.com\/kb_article.php?ref=4020-ALZM-5519#what\">protect<\/a> its <a href=\"http:\/\/store.steampowered.com\/news\/19618\/\">users<\/a>, determined attackers always find a way to evade security mechanisms. &nbsp;<\/p>\n<p>Between August and December of last year, some users of the Steam platform warned about chat messages with a link to &ldquo;see some pictures,&rdquo; but that turned out to download a file called picture46.scr; which is a malicious .NET executable protected with an unknown obfuscator. The language specified on the NeutralResourcesLanguage attribute is Romanian, which hints at the possible origin of the sample.<\/p>\n<h3>Functionality<\/h3>\n<p>The functionality of this sample is divided into three executables. The first one checks constantly to determine if the process egui.exe, which corresponds to ESET&rsquo;s antivirus NOD32, is executing and, if it is, terminates it.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Content of the batch files\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware016.png\" style=\"width: 502px; height: 78px;\" \/><\/p>\n<p align=\"center\">Figure 8. Function that checks the presence of NOD32<\/p>\n<p>It then reads some bytes from the .text section of the PE, stores them in the array byte_0, and decrypts them using the Rijndael cipher.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Function that decrypts the second malicious executable\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware018.png\" style=\"width: 747px; height: 315px;\" \/><\/p>\n<p align=\"center\">Figure 9. Function that decrypts the second malicious executable<\/p>\n<p>The decrypted content of byte_0 is actually <a href=\"https:\/\/www.virustotal.com\/es\/file\/74a2383a02ab1eb7ce85465bcd10c995c85dc214394cd182ad66f05f886878a5\/analysis\/1485164868\/\">another malicious<\/a> .NET executable called ClsFrm.exe. In this case, the obfuscator was detected as DeepSea 4.1. Note that the first bytes of the array are the decimal representation of &ldquo;MZ&rdquo;. This dropped code is injected into a newly created explorer.exe process.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Fist bytes of the decrypted malware.\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware020.png\" style=\"width: 348px; height: 265px;\" \/><br clear=\"ALL\" \/>  Figure 10. Fist bytes of the decrypted malware.<\/p>\n<p>The second executable, ClsFrm.exe, checks for processes called &ldquo;avgui&rdquo; (AVG), &ldquo;avpui&rdquo; (Kasperksy) or &ldquo;avastui&rdquo; (Avast). Other anti-VM techniques used by the sample include:<\/p>\n<blockquote>\n<ul>\n<li>Looks for the usernames: USER, SANDBOX, VIRUS, MALWARE, SCHMIDTI, CURRENTUSER.<\/li>\n<li>Checks whether the retrieved path contains these strings: \\VIRUS, SANDBOX, SAMPLE,<br \/>  \tC:file.exe.<\/li>\n<li>Gets the manufacturer and model from <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/aa394102(v=vs.85).aspx\">Win32_ComputerSystem<\/a> and looks for these strings: VIRTUAL, vmware, VirtualBox.<\/li>\n<li>Uses GetModuleHandle to check if SbieDll.dll (for Sandboxie) was loaded.<\/li>\n<li>Uses Sleep to evade dynamic analysis systems.<\/li>\n<\/ul>\n<\/blockquote>\n<p>After these conditions are met, the sample takes the 32 bitmap files from its resources and decrypts them to proceed with the third stage of its execution.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Bitmap files in the resources section of the second .NET sample\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware022.png\" style=\"width: 604px; height: 387px;\" \/><\/p>\n<p align=\"center\">Figure 11. Bitmap files in the resources section of the second .NET sample<\/p>\n<p>The pictures in Figure 11, that look like a bunch of colorful pixels, are stored one by one in the array byte_0, which is later sent to the decrypting function. First, it computes the MD5 hash of the string &ldquo;UnDhsRiosnW&rdquo;, and then stores the first 8 bytes in an array to use on the DES decipher function (smethod_0) as the key and IV value.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Process to decipher the bitmap files\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware024.png\" style=\"width: 856px; height: 86px;\" \/><\/p>\n<p align=\"center\">Figure 12. Process to decipher the bitmap files<\/p>\n<p>The result goes through the same decipher procedure again to obtain the strings in Figure 13, that are later stored as keys and values in a dictionary and include important aspects of the malware&rsquo;s functionality. For example: the value of the key &ldquo;Install.Filename&rdquo; is &ldquo;svchost.exe&rdquo;, which is the name that the sample uses to copy itself inside the Music directory.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Strings obtained from the bitmap files\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware026.png\" style=\"width: 751px; height: 214px;\" \/><\/p>\n<p align=\"center\">Figure 13. Strings obtained from the bitmap files<\/p>\n<h2>Steam Stealer<\/h2>\n<p>Finally, the third sample, the one that contains the payload, is generated using DeflateStream. The decompressed executable is a Steam Stealer obfuscated with Agile.NET. This file contains two interesting resources: a picture with a fake Steam warning and a string with the following message:<\/p>\n<blockquote>\n<p align=\"center\">&ldquo;Steam Guard has detected a suspicious login and trade attempt from this account<\/p>\n<p align=\"center\">To protect your account and items we will hold them for 3 days with Escrow system<\/p>\n<p align=\"center\">You need to accept hold items in your Steam Mobile Authenticator in section &#39;Confirmations&#39;<\/p>\n<p align=\"center\">Otherwise Steam is not responsible for your account and we will lock it for 30 days<\/p>\n<p align=\"center\">due to our security rules.&rdquo;<\/p>\n<\/blockquote>\n<p align=\"center\"><img decoding=\"async\" alt=\"Fake Steam warning of suspicious behavior\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware028.png\" style=\"width: 1248px; height: 491px;\" \/><\/p>\n<p align=\"center\">Figure 14. Fake Steam warning of suspicious behavior<\/p>\n<p>When this program is executed, it waits until steamwebhelper.exe is running, which is a legitimate process started after Steam.exe. It then uses the regular expression &quot;7656119[0-9]{10}%7c%7c[A-F0-9]{40}&quot; to find the Steam ID of the user in its memory. However, this only works if the user is logged in. The stealer then creates a cookie container using this value and the domain &ldquo;steamcommunity.com&rdquo; and sends it in an HTTP GET request to obtain the Session ID.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Code of the HTTP request using the cookie created by the malware\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware030.png\" style=\"width: 1212px; height: 281px;\" \/><\/p>\n<p align=\"center\">Figure 15. Code of the HTTP request using the cookie created by the malware<\/p>\n<p>It then obtains a list of the items that the user is selling on the Steam market, particularly from the games Dota 2, Counter-Strike: Global Offensive, and Team Fortress 2, using their appIDs to retrieve specific items denoted in string_3 and string_4 on Figure 16, below. The profile for the Steam ID is private (string_0), so no information could be obtained from it.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Important strings used by the stealer\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware032.png\" style=\"width: 898px; height: 135px;\" \/><\/p>\n<p align=\"center\">Figure 16. Important strings used by the stealer<\/p>\n<p>Afterwards, a trade offer is sent to the account of the malicious actor, who ends up stealing all the interesting items from the account of the victim.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Trade offer created to send the stolen items\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware034.png\" style=\"width: 1317px; height: 231px;\" \/><\/p>\n<p align=\"center\">Figure 17. Trade offer created to send the stolen items<\/p>\n<p>The stealer also uses Steam&rsquo;s Web API to connect to the chat (\/ISteamWebUserPresenceOAuth\/Logon\/v0001) and to send a message (\/ISteamWebUserPresenceOAuth\/Message\/v0001) with the text &ldquo;ahaha, lol hxxp:\/\/webpictures.trade\/picture46&rdquo; to keep propagating itself to other Steam users.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"Code for the chat message to propagate itself\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware036.png\" style=\"width: 851px; height: 250px;\" \/><\/p>\n<p align=\"center\">Figure 18. Code for the chat message to propagate itself<\/p>\n<h2>Origin IoCs<\/h2>\n<h3>URLs<\/h3>\n<p>ggettsj.weebly.com\/blog\/<strong>ea-origin-download-slow<\/strong><\/p>\n<p><em>Redirection:<\/em> bE0WEuz450ppLpM7Ri.sc-i3.ru\/mega_zip\/index_download_en.js?weebly<\/p>\n<p><em>Redirection:<\/em> leyes.biz\/193wM?keyword=1<\/p>\n<p><cite>aminload.weebly.com\/blog\/<strong>ea<\/strong><strong>-origin-download-slow<\/strong><\/cite><\/p>\n<p><em>Redirection:<\/em> <cite>P0XPEh0wbynWOU4dWVDf.sc-i3.ru\/mega_zip\/index_download_en.js?weebly<\/cite><\/p>\n<p><cite>ciojhajp.weebly.com\/blog\/<strong>ea-origin-download-slow<\/strong><\/cite><\/p>\n<p><em>Redirection:<\/em> <cite>e5AE7RSUBU8fzDMP4LnbDD0kf0.sc-i3.ru\/mega_zip\/index_download_en.js?weebly<\/cite><\/p>\n<p><cite>cyloading596.weebly.com\/blog\/<strong>ea-origin-download-slow<\/strong><\/cite><\/p>\n<p><em>Redirection:<\/em> <cite>pVTSf76FKEc67trZJmo.sc-i3.ru\/mega_zip\/index_download_en.js?weebly<\/cite><\/p>\n<p><cite>railgett.weebly.com\/blog\/<strong>ea-origin-download-slow<\/strong><\/cite><\/p>\n<p><em>Redirection:<\/em> <cite>7FmuO2jHyvFM5R5VgekfuA2.sc-i3.ru\/mega_zip\/index_download_en.js?weebly<\/cite><\/p>\n<p><cite>centrap.weebly.com\/blog\/<strong>ea-origin-download-slow<\/strong><\/cite><\/p>\n<p><em>Redirection:<\/em> bE0WEuz450ppLpM7Ri.sc-i3.ru\/mega_zip\/index_download_en.js?weebly<\/p>\n<p><cite>almas845.weebly.com\/blog\/<strong>ea-origin-download-slow<\/strong><\/cite><\/p>\n<p>origineafut15.weebly.com\/index.html<\/p>\n<p><cite>vkgay.ru\/<strong>ea-origin-download-slow<\/strong>.html<\/cite><\/p>\n<p><em>Redirection:<\/em> www.adturtle.biz\/LP_TA\/index.cfm?CTP=AF%5FTA%2CTSYqLzdTL1MtUFglIFApJzcsTEwsMFohJCM6Rks%2BKkYlSCgyNEdMSScnKk46NihCKE4gR0dGUTU4USs1SQpNSCktQ1IqUjI4LlxTTDBQNF9LOzJIWkAqLjs6IUc%2BLEpDOlg2QyhOI0lQVVBeSlY1XFBNTzdQV0EtOldMCjJdTEkmWFw9PkVNNyc6WFNbWkxITlJPUyIK&amp;FN=Ea%20origin%20%20slow%2Etorrent*<\/p>\n<p><em>Redirection:<\/em> www.adturtle.biz\/LP_TA\/index.cfm?T=436157<\/p>\n<p>programtoyou.weebly.com\/blog\/<strong>origin-mediafire<\/strong><\/p>\n<p><em>Redirection:<\/em> xngz6KeIyPLKiFvAOIKxfkKa575.scserver.ru\/Paha\/index_download_en.js?weebly<\/p>\n<p><em>Redirection:<\/em> leyes.biz\/194bp?keyword=1<\/p>\n<h3>Other IP addresses and URLs obtained from the memory dump of rundll32.exe:<\/h3>\n<p>83.234.253.141<\/p>\n<p>82.121.103.247<\/p>\n<p>webf.linkpc.net<\/p>\n<p>5.42.64.203<\/p>\n<p>109.48.78.185<\/p>\n<p>190.6.47.123<\/p>\n<p>76.21.80.50<\/p>\n<p>95.42.64.203<\/p>\n<p>188.166.129.93\/request\/get\/18985afce9d0d02f467afe6ea612eef1\/47368<\/p>\n<p>188.166.129.93\/request\/get\/18985afce9d0d02f467afe6ea612eef1\/45102<\/p>\n<p>188.166.129.93\/request\/get\/18985afce9d0d02f467afe6ea612eef1\/45376<\/p>\n<p>d1nvenou5yi7zq.cloudfront.net\/MMIns.exe<\/p>\n<p>dreple.com\/download.php?adv=1680<\/p>\n<p>vd.onesystemhost.net\/331002721\/OneSystemCare.exe<\/p>\n<p>wemsofts.com\/download\/4\/global_installer.exe<\/p>\n<p>www.nowuseeitplayer.com\/download\/setup.msi<\/p>\n<p>ic.loadblanks.ru\/c\/02037a282dd7fbaf<\/p>\n<h3>Files<\/h3>\n<p>807fc0e1c60a552ef96bb4e1eeed40f70cf309d8d82d8d8a48290f907d6e6b4d&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/807fc0e1c60a552ef96bb4e1eeed40f70cf309d8d82d8d8a48290f907d6e6b4d\/analysis\/\">QSc.exe<\/a><\/p>\n<p>3d620cb92767216e43ebb4fb85b06ab12d44bb382f2e768ccf90e1ae7b06b669&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/3d620cb92767216e43ebb4fb85b06ab12d44bb382f2e768ccf90e1ae7b06b669\/analysis\/\">Intst_install.exe<\/a><\/p>\n<p>f441c7feb405e4556373c5d9038257ca298867da49b117446df60365c7c4cb57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/f441c7feb405e4556373c5d9038257ca298867da49b117446df60365c7c4cb57\/analysis\/\">yt.exe<\/a><\/p>\n<p>7b00db19bd718fb10f78f9d82c1c9b0df064e1090a3469aaf39dcff091ba1864&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/7b00db19bd718fb10f78f9d82c1c9b0df064e1090a3469aaf39dcff091ba1864\/analysis\/\">run.exe<\/a><\/p>\n<p>0782ac46ce3ecd45a3aa3ccc209868666f3f2a4b66c1fd26653d0848e83724f5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/virustotal.com\/en\/file\/0782ac46ce3ecd45a3aa3ccc209868666f3f2a4b66c1fd26653d0848e83724f5\/analysis\/1484001023\/\">diskpower-installer.exe<\/a><\/p>\n<p>cc783a04ccbca4edd06564f8ec88fe5a15f1e3bb26cec7de5e090313520d98f3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/cc783a04ccbca4edd06564f8ec88fe5a15f1e3bb26cec7de5e090313520d98f3\/analysis\/\">run.tmp<\/a><\/p>\n<p>11c0132f07c41e8c9b221801453d429e8232adc5e933aa45993fc6362e882fe7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/11c0132f07c41e8c9b221801453d429e8232adc5e933aa45993fc6362e882fe7\/analysis\/\">PssOxD<\/a><\/p>\n<p>cddc954c09861227e788fc7985ad87d7d05ebfa30d98ff21847f88e026592924&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/cddc954c09861227e788fc7985ad87d7d05ebfa30d98ff21847f88e026592924\/analysis\/\">qEtB5Po<\/a><\/p>\n<p>a3d169174441a14ee80be194f3512d6ce711d12b5fc70f4a2ed570ae3220aca6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/a3d169174441a14ee80be194f3512d6ce711d12b5fc70f4a2ed570ae3220aca6\/analysis\/\">qEtB5Po.dll<\/a><\/p>\n<p>4eca0c2d55d54fe316f19130219b0e6739b2236a0e0ba0dddb270d057fe06b65&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/4eca0c2d55d54fe316f19130219b0e6739b2236a0e0ba0dddb270d057fe06b65\/analysis\/\">uninstall.exe<\/a><\/p>\n<p>d36dc53fc69124d1fb41e09bcb351772b18d6701f15db9c3d57c8ec2c720a1ec&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/d36dc53fc69124d1fb41e09bcb351772b18d6701f15db9c3d57c8ec2c720a1ec\/analysis\/\">ZDrU6vU<\/a><\/p>\n<p>0a14fbd1ec62aba5f8fe25c1fe9c014c6a02e9594473be32b1d531a47f5e2e27&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/0a14fbd1ec62aba5f8fe25c1fe9c014c6a02e9594473be32b1d531a47f5e2e27\/analysis\/\">interstat.exe<\/a><\/p>\n<p>f5b25fdfa52f64e7a56ca40a0687b746fba07500b16589df5325a1da6bb9925b&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/f5b25fdfa52f64e7a56ca40a0687b746fba07500b16589df5325a1da6bb9925b\/analysis\/\">169.tmp<\/a><\/p>\n<p>3bba739bb0a97313e7fa4481ca233e5ceb0069570c636418f158d9deaf87730c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/3bba739bb0a97313e7fa4481ca233e5ceb0069570c636418f158d9deaf87730c\/analysis\/\">969699066d18t7181076.dll<\/a><\/p>\n<p>b2b04035d4f3ba498bfe308937b60d1998d4ee7d37fd341fa6f4af2ec1633bbf&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/b2b04035d4f3ba498bfe308937b60d1998d4ee7d37fd341fa6f4af2ec1633bbf\/analysis\/\">g9F35.tmp.exe<\/a><\/p>\n<p>936ea464f68d2f559cbbd9a415b3ded6a6f2ebb51fc04d2669392c5b2135376d&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/936ea464f68d2f559cbbd9a415b3ded6a6f2ebb51fc04d2669392c5b2135376d\/analysis\/\">g8041.tmp.exe<\/a><\/p>\n<p>0c03b26478deec8800be159af8c0023f4a79c2dfebb515b50b4955820e8f4a00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/0c03b26478deec8800be159af8c0023f4a79c2dfebb515b50b4955820e8f4a00\/analysis\/\">g8042.tmp.exe<\/a><\/p>\n<p>6596e97903fb3d06da85c0affa66ee751697d14ef14c8c445fded121c8254c30&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/6596e97903fb3d06da85c0affa66ee751697d14ef14c8c445fded121c8254c30\/analysis\/\">gF5EF.tmp<\/a><\/p>\n<p>5af102280b2dff59b5257d603f7e9fa9cf8734182f2e268a9b56790aafecf55c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/5af102280b2dff59b5257d603f7e9fa9cf8734182f2e268a9b56790aafecf55c\/analysis\/\">G640C.tmp<\/a><\/p>\n<p>3bba739bb0a97313e7fa4481ca233e5ceb0069570c636418f158d9deaf87730c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/3bba739bb0a97313e7fa4481ca233e5ceb0069570c636418f158d9deaf87730c\/analysis\/\">891260751d47t2502933.dll<\/a><\/p>\n<h2>Steam IoCs<\/h2>\n<h3>URLs<\/h3>\n<p>webpictures.trade\/picture46<\/p>\n<h3>Files<\/h3>\n<p>c4aa4f91cc27f8cbfa29f3b6c75744b42310efa39976edcde00ec95dd9dae294 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/c4aa4f91cc27f8cbfa29f3b6c75744b42310efa39976edcde00ec95dd9dae294\/analysis\/\">picture46.scr<\/a><\/p>\n<p>74a2383a02ab1eb7ce85465bcd10c995c85dc214394cd182ad66f05f886878a5 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/74a2383a02ab1eb7ce85465bcd10c995c85dc214394cd182ad66f05f886878a5\/analysis\/1485164868\/\">ClsFrm.exe<\/a><\/p>\n<p>c0e5af88e6f4dbc0978e82d1b1891b0dcbecffec4bbd5e9d2c8ec67d9a024e0d &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=\"https:\/\/www.virustotal.com\/es\/file\/c0e5af88e6f4dbc0978e82d1b1891b0dcbecffec4bbd5e9d2c8ec67d9a024e0d\/analysis\/1485906846\/\">streamdump.ex<\/a>e<\/p>\n<p>&nbsp;<\/p>\n<\/div<br \/><a href=\"http:\/\/blog.fortinet.com\/2017\/02\/06\/watch-out-for-fake-online-gaming-sites-and-their-malicious-executables\" target=\"bwo\" >https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/steam-malware001.png\"\/><br \/>Every year during holiday seasons, the number of phishing websites increases. This is particularly true for online gaming distribution platforms. In some cases, users not only have their login credentials stolen, but they also end up downloading and executing malicious executables. As expected, the more popular a platform is, the more targeted it will be, which is why this research blog focuses on two malware samples obtained from fake Origin and Steam websites.        Figure 1. Fake Origin phishing website    Origin Malware Sample    In addition&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-6521","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6521","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6521"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6521\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6521"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6521"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6521"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}