This week the popular malware researcher Lawrence Abrams from Bleepingcomputer.com has found a worrisome message on Reddit. The Reddit user with the moniker Haydaddict was warning of the existence of compromised Steam accounts spreading a Remote Access Trojan (RAT).
“Quinn Lobdell hacked on Steam. Please be aware if others try to send you sketchy links. Scrub Killa and Jessie affected as well.” reads the post.
The accounts were used to send chat messages containing links to videomeo.pw to watch a video.
“When the target went to the page, they would be greeted with a message stating that they needed to update Flash Player in order to watch the video.” explained Lawrence Abrams in a blog post.
The trick is quite simple and leverages on the user’s curiosity when it downloads and executes the Flash Player installer apparently nothing happens, but in reality the victim has opened its machine to the attacker.
The Flash Player installer executes a PowerShell script (zaga.ps1) that downloads a 7-zip archive, 7-zip extractor, and a CMD script from a remote server (http://zahr[.]pw).
The PowerShell then launches the CMD file, which extracts the sharchivedmngr to the %AppData%\lappclimtfldr folder and configures Windows to automatically start an instance of the NetSupport Manager Remote Control Software, renamed as mcrtvclient.exe, when the victim logs in.
When the victims will log in the infected machine, the NetSupport Manager will connect to the NetSupport gateway at leyv.pw:11678 and await commands, at this point the attacker has complete control over the victim’s machine.
“For those who are concerned they are infected with this Steam Trojan, I suggest they check the %AppData% folder for the specified folders.” suggests Lawrence Abrams in order to check if the system is compromised.
Every time you visit a link be careful, and make sure to have installed up to date defense solutions.
(Security Affairs – Hacked Steam accounts, malware)