Warning to Steam Users

There appears to be a group doing the rounds again, so if you play any game with a Steam Market Feature, and they offer you a “deal”, ignore them. Don’t trust a link they give you, no matter how legitimate it may seem. (I knew this wasn’t what it’d seemed like, but they did try to disguise that link)

http://imgur.com/a/ViX0F

** Warning Do NOT follow the link in that text chat from the picture. **

Though, I’ve still yet to find out what exactly it’s done to my Virtual Machine.

Started with generic responses: Evo-gen [susp]. An hour later and the threat had been added by a couple more vendors, while others had jut changed the detection name from a generic catch-all.

Again, this seems to be a new group, given that file was first submitted (By me) 13-14 hours ago. It just took a while to post. It dropped an exe file into my temp folder inside the VM, but it doesn’t seem to do anything. Could very well be a zombie infection, DDoS style zombie infections.

Deepviz this morning had actually marked this file as clean, it’s now “malicious”: https://sandbox.deepviz.com/report/hash/aa772ea47dd1ebd203d3e261ad59e896/

Polonus: Can you run the works on 109(dot)120(dot)162(dot)10 & imagesave(dot)pw and give us the rundown? <== Warning, these sites are malicious

Avast, please disable and block that domain. imagesave.pw isn’t accessible, but the exe files are.

From my analysis:
hxxp://imagesave[.]pw/images/?img=6bjhyM3RqTEhDckk
redirects to:
hxxps://drive.google[.]com/uc?id=0B68xxAVl-1y6Yi1XQmM4a2tIb00
which automatically downloads file Screen_4743548237.scr. Probably doesn’t help that .scr might be confused with “screenshot”, even though it is an executable.
The file is this one: https://www.virustotal.com/en/file/d3f6e612d0e4f9bf68d01186cd6a6cd1c4ba91255950cf9d17d10f8443626342/analysis/1486106467/
This is different from what you got (https://www.virustotal.com/en/file/889651d55b20d4dde9616681acdbf82e6fc8bcff3d739733e267fc26aaffb394/analysis/) but also detected by us.

I blocked the domain and will pass the PE files to our PE analysts for further analysis.

It looks like Avast! was already blocking the PE files but the domain is serving different files often.Good work Honza on blocking it for us.

Avast! just keeps getting better with detecting new threats.

More or less why I wanted the domain fast-tracked to a black list.

Let your PE analysers know that the file is dropping exes. Though I’m sure they will find that out on their own. Can one learn from them report back to the functionality of what this is a fully doing? I’ve still seen no I’ll symptoms of a true infection and the analysis from deep is is vague to say the least.

The file that I downloaded (d3f6e612d0e4f9bf68d01186cd6a6cd1c4ba91255950cf9d17d10f8443626342) is indeed a downloader, and downloads this file:
hxxp://imagesave[.]pw/HARAKIRI.exe
https://www.virustotal.com/en/file/8010e4957c4df718307d5234645e6a87cee68862f8fa5a4b261086c7ab1d27fc/analysis/1486128693/ ← HARAKIRI.exe (do not worry, we already detect it, even though virustotal still shows we consider it clean :slight_smile: )

Can you post a deepviz scan of that file? I’m currently not able to access a computer. I’m on mobile.

Cheers Honza for the quick reaction

I am not sure if you will see anything in there: https://sandbox.deepviz.com/report/hash/acdf4fd91e0df5461cdc1edaa1755568/
The sample crashes in sandbox and is heavily obfuscated…

Nope, just some keys, that’s just about all the useful info in that.

@TI199; I have to ask, because I’m looking at that U/N right now in your screenshot. You didn’t test downloading these files on your live machine right? (eg: The physical box, rather then a Virtual Environment)

If you did, you should obtain VirtualBox or a similar program. That’s extremely unsafe to do. “Lenovo” is a weird U/N and something I’d expect to see from a store-bought computer that wasn’t factoried before going out the door.

VBox: https://www.virtualbox.org/

You’ll have to find a copy of Windows. (Legit, though. Cracked copies can be Backdoored during installation.)

Hi Michael,

I do use VM most of the time to hunt around.I just don’t do it when I know the link is a download and nothing that will autoexecute without my permission.I got some additional stuff installed to keep monitoring what runs.

My system was factory reset after It was released by the way but I had to get rid of the bloat though.

Ay, fair play. I would still caution downloading anything that you know (or suspect) is malicious on a live machine. One day it’ll bite you in the arse. Trust me, I’ve had it happen. (Nothing serious, just a USB worm running off a VBS file). Whether or not you intend to run it, things happen you don’t expect.

But that’s just me, we all have our faults. :slight_smile:

Cheers guys

Completely Agree…I have some software that will alert me if I accidently execute something which doesn’t happen to me since I use vm if I am going to do something with samples.