In the starting few years, Steam malware was obsolete or pretty rare, but things changed when Valve decided to introduce in-game trades and auctions, giving hackers enough reason to target players and come up with ways to steal money.
Kaspersky and Bart P, an independent security researcher came together for a joint research on how most of today’s Steam Stealer malware works, along with the social engineering behind it.
There has been a tremendous increase in Steam-targeting malware, as much as 77,000 complaints per month relating to accounts hack were received by the company in the month of December.
Steam malware is pretty cheap
One of the reasons for such an increase in Steam malware hacks is the cheapness at which one can get the malware. In case, you happen to visit any underground forums, you will find that so-called Steam Stealers, malware specialized in stealing Steam login credentials or game inventory items, is some of the cheapest malware you’ll find online.
In fact, most times the prices are between $1 to $10, rarely shooting above the $30 mark. Kaspersky says that “buying a stealer on a shady Internet forum can cost more in time than in money.”
The interesting trend nowadays is that “Steam hacking” are offered as MaaS or Malware-as-a-Service. In this scenario, hackers provide the malware and infrastructure it runs on, leaving just the distribution of malware to the buyer. Afterwards, both of them share the profits made.
According to researchers, most Steam malware families are quite simple, with the difference arising in social engineering tricks employed by each criminal group to spread their malware.
People interested in Steam trade process are the preferred targets for hackers. Mostly, the hackers group inherit from Eastern Europe and Russia with Counter-Strike: Global Offensive being their choice of game, where inventory goods are often traded and bought via auction (bidding) sites.
Most common techniques observed in today’s Steam Stealer malware
Kaspersky has cited numerous techniques in Steam Stealer distribution and mode of operation. The trends keep changing with time to avoid detection by security product, and also the educated users. The security firm says that Steam Stealer malware families have evolved from using no type of security measures to protecting their code using obfuscators. The hackers have also employed fake TeamSpeak or fake game servers to promote themselves, using PasteBin links to download the actual malware payload, and to using Dropbox, Google Docs, Copy.com to host their malicious code.
Steam malware can also bypass the Steam’s CAPTCHA utility along with support for NetSupport, a remote control software package that helped Steam Stealers evolve from ordinary information-stealing malware to complete RATs (Remote Access Trojans).
Other past trends include the usage of sites that look like Imgur, LightShot or SavePic, where the players upload their screenshots, and also malware-laced binaries for popular VoIP communication software like TeamSpeak and RazerComms.
Steam Stealers, the future’s full-blown RATs
Kaspersky notes that Steam Stealers are evolving at a rapid pace with the use of AutoIT wrappers to make analysis and detection harder and also use fake gambling sites, including fake deposit bots.
One of the recent trends includes the use of Chrome Extension for carrying out the inventory thefts via JavaScript on game item gambling sites. Luckily, most users are now aware of this trick.
From all this, one thing is certain, Steam malware are getting mature and complex every day. They are getting on par with other malware.
In case, you want to learn more about the Steam malware, their distribution campaigns, we recommend taking a look at the Steam Stealers report.