steven36 Posted October 1, 2016 Share Posted October 1, 2016 Yesterday, I stumbled on a post where a Reddit user named Haydaddict was alerting people about some hacked Steam accounts spreading malware. As I am always interested in new malware, I took a look to see what could be discovered. According to the post, the hacked accounts were being used to SPAM suspicious links using Steam chat. These chat messages would tell the recipient to go to videomeo.pw to watch a video. Steam Chats When the target went to the page, they would be greeted with a message stating that they needed to update Flash Player in order to watch the video. Fake Video Page If a target downloads the installer and executes it, they will find that it does not appear to do anything. This is because the Flash Player installer is actually a Trojan that executes a PowerShell script called zaga.ps1, which will download a 7-zip archive, 7-zip extractor, and a CMD script from the zahr.pw server. Zaga.ps1 PowerShell Script Once the files are downloaded, the PowerShell script will then launch the CMD file, which will extract the sharchivedmngr to the %AppData%\lappclimtfldr folder and configure Windows to automatically start the mcrtvclient.exe program when a user logs in. This program is actually a renamed copy of the NetSupport Manager Remote Control Software. When the program is launched, it will connect to the NetSupport gateway at leyv.pw:11678 and await commands. This allows the attacker to remotely connect to the infected computer and take control over it. NetManager Configuration File For those who are concerned they are infected with this Steam Trojan, I suggest they check the %AppData% folder for the specified folders. Furthermore, all users must be careful with what links they visit and what downloads they install. These days it is becoming more and more frequent for accounts to be hacked and then for attackers to use them to distribute malware. Stay vigilant, be careful, and make sure you have an antivirus software installed. Source: http://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/ Link to comment Share on other sites More sharing options...
Holmes Posted October 1, 2016 Share Posted October 1, 2016 I got my steam account and my gmail hijacked one time and I got them back thanks to my backup of the month and year I first created my gmail account and my credit card information being saved on my steam account. Never click on any links in a steam chat window. Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted October 3, 2016 Administrator Share Posted October 3, 2016 On 1/10/2016 at 7:02 PM, Holmes said: I got my steam account and my gmail hijacked one time and I got them back thanks to my backup of the month and year I first created my gmail account and my credit card information being saved on my steam account. Never click on any links in a steam chat window. A lot protections against hacking of accounts now on it. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.