Threat Research

Distribution of Backdoor Malware with Legitimate Signature, Disguised as Steam Cleanup Tool

Ahnlab
Distribution of Backdoor Malware with Legitimate Signature, Disguised as Steam Cleanup Tool

Threat actors modified the open-source SteamCleaner tool, repackaged it as Setup.exe, and distributed it from malicious GitHub repositories and redirect pages to install malware that deploys Node.js-based backdoors communicating with multiple C2 servers. The malware includes sandbox evasion, installs persistent scheduled tasks, and can execute arbitrary commands via two Node.js scripts that exfiltrate system details to C2. #SteamCleaner #Proxyware #aginscore.com #rt-guard.com

Keypoints

  • Threat actors injected malicious code into the legitimate SteamCleaner source, built a modified executable, and signed a repackaged InnoSetup installer distributed as Setup.exe.
  • Distribution was performed via redirect pages masquerading as crack/keygen download sites and multiple GitHub repositories (example: raw.githubusercontent[.]com/erindaude/3O/main/Setup.exe).
  • When executed, the malware installs to C:Program FilesSteamCleaner (or other paths) and decrypts an embedded PowerShell command that installs Node.js and two malicious Node.js scripts.
  • The two Node.js scripts are registered as scheduled tasks for persistence (Microsoft/Windows/WCM/WiFiSpeedScheduler and Microsoft/Windows/Diagnosis/RecommendedDiagnosisScheduler) and periodically communicate with C2 to receive and execute commands.
  • The malware implements multiple anti-sandbox checks (WMI queries, VM-related files/processes/modules, specific paths, sleep timing) to avoid revealing malicious behavior in analysis environments.
  • C2 communication uses JSON POSTs to /d (info) and /e (execution results) endpoints; transmitted system fields include os_type, os_version, machine_id, agent_version, and session_id.
  • Observed C2 domains and download URLs include aginscore[.]com, rt-guard[.]com, 4tressx[.]com, kuchiku[.]digital, and uuu.rqfefxsa[.]xyz; several MD5 hashes for related files were provided.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Malware decrypts and executes an embedded PowerShell command to install Node.js and download malicious scripts (“Then, it decrypts and executes the PowerShell command that is stored encrypted inside the malware.”).
  • [T1218] Signed Binary Proxy Execution – The threat actor distributed a repackaged installer signed with a valid certificate to masquerade as legitimate (“The threat actor added malicious code… and distributed the file signed with a valid certificate.”).
  • [T1036] Masquerading – Malware masquerades as the legitimate SteamCleaner tool and retains original code while adding malicious classes/methods (“the original code has been kept, and classes and methods have been added to perform malicious behaviors.”).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence via Task Scheduler registration to execute scripts at boot and hourly (“it registers these scripts to the task scheduler. The registered tasks are automatically executed when the system boots up and every hour.”).
  • [T1497] Virtualization/Sandbox Evasion – Uses anti-sandbox techniques including checking system info, port counts, WMI queries, VM-specific files, processes, modules, and sleep behavior (“The added malware has multiple anti-sandbox functions… checking system information, port counts, WMI queries, files and paths, process modules, process, and Sleep operation.”).
  • [T1105] Ingress Tool Transfer – The first Node.js script can download files from a provided URL and execute them via CMD/PowerShell (“The first Node.js script can download a file from a specific URL and then execute commands such as CMD and PowerShell to run the downloaded file.”).
  • [T1071.001] Web Protocols – C2 communication over HTTP POST to /d and /e paths sending JSON with system metadata (“POST /d HTTP/1.1 … { ‘os_type’: ‘Windows_NT’, … ‘agent_version’: ‘17.2.7’, ‘session_id’: … }”).
  • [T1055] Process Injection / Command Execution – Node.js scripts execute received commands using exec or external processes (CMD/PowerShell) to run arbitrary payloads (“the second script… executes them using the exec function… the first script takes a URL… downloaded content… executed using an external process such as CMD or PowerShell.”).

Indicators of Compromise

  • [File name] Installer/Installed paths – Setup.exe distributed from GitHub; installed to C:Program FilesSteamCleaner and other paths like C:WCM{UUID}UUID and C:WindowsSetting{UUID}UUID.
  • [Domains / FQDN] C2 and endpoints – aginscore[.]com (C2 /d and /e), 4tressx[.]com (C2 /d and /e), kuchiku[.]digital (C2 /d), rt-guard[.]com (download host), screenner[.]com.
  • [URLs] Download endpoints – hxxps://raw.githubusercontent[.]com/erindaude/3O/main/Setup.exe, hxxps://rt-guard[.]com/updates/KB80164432, hxxps://uuu.rqfefxsa[.]xyz/cab.js.
  • [Hashes] Malware file MD5s – 5ea776ca7dccac71138a6e92a4f5c934 (Downloader/JS.Proxyware.SC291258), 804957e501ee0443632ea675353326d4 (Trojan/JS.Proxyware.SC295915), and other MD5s: 062ff9107c8e7b7972120bc4ac0cd5e8, 29eddc32acb16d8ce71b18190de04e81, 39f41537c02e9f516c2de9dee5e9c5e0, 3bb7cd8779318093093d98b99f9d4631, 501fb628c426e3b393a8c61aaa2be451.
  • [Scheduled Tasks] Persistence locations – Microsoft/Windows/WCM/WiFiSpeedScheduler and Microsoft/Windows/Diagnosis/RecommendedDiagnosisScheduler (tasks register Node.js scripts to run at boot and hourly).

Read more: https://asec.ahnlab.com/en/90969/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint