by RSS Lilia Elena Gonzalez Medina  |  Feb 06, 2017  |  Filed in: Security Research

Every year during holiday seasons, the number of phishing websites increases. This is particularly true for online gaming distribution platforms. In some cases, users not only have their login credentials stolen, but they also end up downloading and executing malicious executables. As expected, the more popular a platform is, the more targeted it will be, which is why this research blog focuses on two malware samples obtained from fake Origin and Steam websites.

Fake Origin phishing website

Figure 1. Fake Origin phishing website

Origin Malware Sample

In addition to phishing websites that steal user credentials, we also examined a number of blogs that were being blocked by the Fortiguard Web Filtering Service. The content of these blogs seemed non-malicious at first, but after looking at the source code we discovered obfuscated JavaScript that repeatedly redirected to a URL from a Russian website until an executable was downloaded. This process was supposed to take place without the user’s intervention; however, due to a coding error the sample could not be download automatically, and the blog websites displayed this error instead:

Malicious blog intended to download malware

Figure 2. Malicious blog intended to download malware

Despite this, all the redirections still worked, and we were able to manually download a malware sample.

Fake Origin phishing website

Figure 3. Downloaded malware sample

All the malicious websites we examined had four things in common:

  • They were all hosted in
  • They all contained obfuscated JavaScript
  • They all included a variable with the strings “ea+origin+download+slow” or “origin-mediafire”
  • This string was also found on the targeted URL, and the variable in which it was stored was later used as a parameter to download a malicious executable

Obfuscated code found on the malicious websites

Figure 4. Obfuscated code found on the malicious websites

In the case of the downloaded sample we collected, the malware was called QSc.exe, just like the variable shown on the first script. It is detected as Riskware/Kryptik.FKCR by the Fortinet AntiVirus service.

Once the entire pattern was identified, it was easy to find similar websites. The list of affected websites can be found at the end of this blog. The downloaded file is categorized as aggressive Adware, not in terms of persistence, but because of the number of malicious executables that it downloads and executes.


After executing, the sample malware created several files, including two shortcuts on the Desktop that redirected to different websites in the domain When examined, these website links redirected the user to online games. However, these games seem to have been removed.

Shortcuts created by the sample

Figure 5. Shortcuts created by the sample

Below is a list of other folders and files created, ordered by the executable that created them:




Downloaded sample




%USERPROFILE%\AppData\Local\Temp\is- < 5 random alphanumeric characters>.tmp




























%USERPROFILE%\AppData\Local\Temp\ and













The file 969699066d18t7181076.dll uses two persistence mechanisms:

  • It creates a task scheduled to execute daily, on every hour and at system startup. After it is executed, this DLL also creates other applications in C:\Windows\Temp\.
  • It adds the property “wd” with its path to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.

The sample Qsc.exe uses another persistence mechanism known as shortcut hijacking, which consists of replacing the shortcuts of Google Chrome, Mozilla Firefox, and Internet Explorer with new ones that, when clicked, execute a batch file that opens a malicious URL on the specified browser. The following files are created in %USERPROFILE%\AppData\Roaming\Browsers:

  • chrome.bat.exe
  • firefox.bat.exe
  • iexplore.bat.exe
  • exe.emorhc.bat
  • exe.erolpxei.bat
  • exe.xoferif.bat

Firefox.bat.exe and iexplore.bat.exe are copies of the legitimate browsers installed, whereas chrome.bat.exe is an older version of the legitimate Chrome installed.

Browser shortcuts created by the malware

Figure 6. Browser shortcuts created by the malware

Content of the batch files

Figure 7. Content of the batch files

After removing unnecessary characters, each batch file contains one of the following strings, depending on the target browser. Note that the URL on the commands varies.:

start “” “c:\PROGRA~1\MOZILL~1\firefox.exe” hxxp://”

start “” “c:\PROGRA~1\INTERN~1\iexplore.exe” hxxp://”

start “” “c:\PROGRA~1\google\chrome\APPLIC~1\chrome.exe” hxxp://”

Finally, the sample run.exe drops DLLs in C:\ProgramData, creates firewall rules to allow incoming connections to rundll32.dll, and schedules tasks to execute the dropped DLLs every hour, every day.

Steam Malware Sample

From time to time, Steam platform users receive fake emails or chat messages pretending to be from Steam trying to trick them into giving away their credentials or downloading malware. In fact, it’s not too hard to find a sample due to the many complaints and warnings about this problem on videogame forums. According to users, the most common tactics used by attackers to convince users to click on malicious URLs include: claiming to have a video or picture that includes the victim or contains something shocking or funny, adding a friend to their accounts, and fake trade offers. And although Steam works hard to protect its users, determined attackers always find a way to evade security mechanisms.  

Between August and December of last year, some users of the Steam platform warned about chat messages with a link to “see some pictures,” but that turned out to download a file called picture46.scr; which is a malicious .NET executable protected with an unknown obfuscator. The language specified on the NeutralResourcesLanguage attribute is Romanian, which hints at the possible origin of the sample.


The functionality of this sample is divided into three executables. The first one checks constantly to determine if the process egui.exe, which corresponds to ESET’s antivirus NOD32, is executing and, if it is, terminates it.

Content of the batch files

Figure 8. Function that checks the presence of NOD32

It then reads some bytes from the .text section of the PE, stores them in the array byte_0, and decrypts them using the Rijndael cipher.

Function that decrypts the second malicious executable

Figure 9. Function that decrypts the second malicious executable

The decrypted content of byte_0 is actually another malicious .NET executable called ClsFrm.exe. In this case, the obfuscator was detected as DeepSea 4.1. Note that the first bytes of the array are the decimal representation of “MZ”. This dropped code is injected into a newly created explorer.exe process.

Fist bytes of the decrypted malware.
Figure 10. Fist bytes of the decrypted malware.

The second executable, ClsFrm.exe, checks for processes called “avgui” (AVG), “avpui” (Kasperksy) or “avastui” (Avast). Other anti-VM techniques used by the sample include:

  • Checks whether the retrieved path contains these strings: \\VIRUS, SANDBOX, SAMPLE,
  • Gets the manufacturer and model from Win32_ComputerSystem and looks for these strings: VIRTUAL, vmware, VirtualBox.
  • Uses GetModuleHandle to check if SbieDll.dll (for Sandboxie) was loaded.
  • Uses Sleep to evade dynamic analysis systems.

After these conditions are met, the sample takes the 32 bitmap files from its resources and decrypts them to proceed with the third stage of its execution.

Bitmap files in the resources section of the second .NET sample

Figure 11. Bitmap files in the resources section of the second .NET sample

The pictures in Figure 11, that look like a bunch of colorful pixels, are stored one by one in the array byte_0, which is later sent to the decrypting function. First, it computes the MD5 hash of the string “UnDhsRiosnW”, and then stores the first 8 bytes in an array to use on the DES decipher function (smethod_0) as the key and IV value.

Process to decipher the bitmap files

Figure 12. Process to decipher the bitmap files

The result goes through the same decipher procedure again to obtain the strings in Figure 13, that are later stored as keys and values in a dictionary and include important aspects of the malware’s functionality. For example: the value of the key “Install.Filename” is “svchost.exe”, which is the name that the sample uses to copy itself inside the Music directory.

Strings obtained from the bitmap files

Figure 13. Strings obtained from the bitmap files

Steam Stealer

Finally, the third sample, the one that contains the payload, is generated using DeflateStream. The decompressed executable is a Steam Stealer obfuscated with Agile.NET. This file contains two interesting resources: a picture with a fake Steam warning and a string with the following message:

“Steam Guard has detected a suspicious login and trade attempt from this account

To protect your account and items we will hold them for 3 days with Escrow system

You need to accept hold items in your Steam Mobile Authenticator in section 'Confirmations'

Otherwise Steam is not responsible for your account and we will lock it for 30 days

due to our security rules.”

Fake Steam warning of suspicious behavior

Figure 14. Fake Steam warning of suspicious behavior

When this program is executed, it waits until steamwebhelper.exe is running, which is a legitimate process started after Steam.exe. It then uses the regular expression "7656119[0-9]{10}%7c%7c[A-F0-9]{40}" to find the Steam ID of the user in its memory. However, this only works if the user is logged in. The stealer then creates a cookie container using this value and the domain “” and sends it in an HTTP GET request to obtain the Session ID.

Code of the HTTP request using the cookie created by the malware

Figure 15. Code of the HTTP request using the cookie created by the malware

It then obtains a list of the items that the user is selling on the Steam market, particularly from the games Dota 2, Counter-Strike: Global Offensive, and Team Fortress 2, using their appIDs to retrieve specific items denoted in string_3 and string_4 on Figure 16, below. The profile for the Steam ID is private (string_0), so no information could be obtained from it.

Important strings used by the stealer

Figure 16. Important strings used by the stealer

Afterwards, a trade offer is sent to the account of the malicious actor, who ends up stealing all the interesting items from the account of the victim.

Trade offer created to send the stolen items

Figure 17. Trade offer created to send the stolen items

The stealer also uses Steam’s Web API to connect to the chat (/ISteamWebUserPresenceOAuth/Logon/v0001) and to send a message (/ISteamWebUserPresenceOAuth/Message/v0001) with the text “ahaha, lol hxxp://” to keep propagating itself to other Steam users.

Code for the chat message to propagate itself

Figure 18. Code for the chat message to propagate itself

Origin IoCs













Other IP addresses and URLs obtained from the memory dump of rundll32.exe:


807fc0e1c60a552ef96bb4e1eeed40f70cf309d8d82d8d8a48290f907d6e6b4d         QSc.exe

3d620cb92767216e43ebb4fb85b06ab12d44bb382f2e768ccf90e1ae7b06b669       Intst_install.exe

f441c7feb405e4556373c5d9038257ca298867da49b117446df60365c7c4cb57        yt.exe

7b00db19bd718fb10f78f9d82c1c9b0df064e1090a3469aaf39dcff091ba1864           run.exe

0782ac46ce3ecd45a3aa3ccc209868666f3f2a4b66c1fd26653d0848e83724f5          diskpower-installer.exe

cc783a04ccbca4edd06564f8ec88fe5a15f1e3bb26cec7de5e090313520d98f3          run.tmp

11c0132f07c41e8c9b221801453d429e8232adc5e933aa45993fc6362e882fe7        PssOxD

cddc954c09861227e788fc7985ad87d7d05ebfa30d98ff21847f88e026592924         qEtB5Po

a3d169174441a14ee80be194f3512d6ce711d12b5fc70f4a2ed570ae3220aca6       qEtB5Po.dll

4eca0c2d55d54fe316f19130219b0e6739b2236a0e0ba0dddb270d057fe06b65      uninstall.exe

d36dc53fc69124d1fb41e09bcb351772b18d6701f15db9c3d57c8ec2c720a1ec         ZDrU6vU

0a14fbd1ec62aba5f8fe25c1fe9c014c6a02e9594473be32b1d531a47f5e2e27         interstat.exe

f5b25fdfa52f64e7a56ca40a0687b746fba07500b16589df5325a1da6bb9925b         169.tmp

3bba739bb0a97313e7fa4481ca233e5ceb0069570c636418f158d9deaf87730c       969699066d18t7181076.dll

b2b04035d4f3ba498bfe308937b60d1998d4ee7d37fd341fa6f4af2ec1633bbf          g9F35.tmp.exe

936ea464f68d2f559cbbd9a415b3ded6a6f2ebb51fc04d2669392c5b2135376d        g8041.tmp.exe

0c03b26478deec8800be159af8c0023f4a79c2dfebb515b50b4955820e8f4a00        g8042.tmp.exe

6596e97903fb3d06da85c0affa66ee751697d14ef14c8c445fded121c8254c30          gF5EF.tmp

5af102280b2dff59b5257d603f7e9fa9cf8734182f2e268a9b56790aafecf55c             G640C.tmp

3bba739bb0a97313e7fa4481ca233e5ceb0069570c636418f158d9deaf87730c       891260751d47t2502933.dll

Steam IoCs



c4aa4f91cc27f8cbfa29f3b6c75744b42310efa39976edcde00ec95dd9dae294           picture46.scr

74a2383a02ab1eb7ce85465bcd10c995c85dc214394cd182ad66f05f886878a5       ClsFrm.exe

c0e5af88e6f4dbc0978e82d1b1891b0dcbecffec4bbd5e9d2c8ec67d9a024e0d          streamdump.exe


Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.


by RSS Lilia Elena Gonzalez Medina  |  Feb 06, 2017  |  Filed in: Security Research

comments powered by Disqus