Threat Research

Fake Steam Desktop Authenticator App distributing DarkCrystal RAT

Securonix

A campaign distributes malware via fake Steam Desktop Authenticator (SDA) clone sites using site cloning and typosquatting. The fake SDA ZIP ultimately delivers DarkCrystal RAT (DCRAT) after a staged bypass of Defender, with infrastructure built around several spoofed domains.
#DarkCrystalRAT #SDA #DCRAT #SiteCloning #Typosquatting

Keypoints

  • The campaign clones and typosquats legitimate SDA sites to lure users into downloading a malicious SDA ZIP.
  • A ZIP file (SDA-1.0.10.zip) contains a malicious SDA-1.0.10.exe used to drop the DarkCrystal RAT.
  • Execution of the SDA payload triggers a batch script that disables Windows Defender and then runs DCRAT.
    • The ultimate objective is delivery of DarkCrystal RAT, a commodity crimeware tool sold on underground channels.

MITRE Techniques

  • [T1189] Drive-by Compromise – Users visit a cloned/typosquatted site and can download the malicious ZIP (SDA-1.0.10.zip). Quote: “If a user visits the fake version of the site then they can download a 135.08 MB ZIP file of the “SDA-1.0.10.zip” app…”
  • [T1204.002] User Execution: Malicious File – The SDA payload, when executed, leads to a process tree and deployment of DCRAT. Quote: “If executed, we can see a process tree involving multiple malicious Commands (using a .BAT script) that ultimately disables Windows Defender and runs DCRAT.”
  • [T1112] Modify Registry – The batch script modifies registry keys to disable Defender policies. Quote: “it modifies registry keys to disable Defender Policies, deletes the Run key, and kills the SecurityHealthService.exe running process.”
  • [T1059.003] Command and Scripting Interpreter: Batch – The malware uses a Batch script to perform actions. Quote: “The Batch script ‘Disable_win_defender.bat’ does what it says on the tin really.”
  • [T1562.001] Impair Defenses – The overall aim includes disabling Defender defenses to allow DCRAT to operate. Quote: “…disable Defender Policies, deletes the Run key, and kills the SecurityHealthService.exe running process.”

Indicators of Compromise

  • [File] Steam Desktop Authenticator.exe – context: malicious SDA variant referenced in the campaign
  • [File] DCRatBuild.exe – context: executable name associated with DarkCrystal RAT deployment
  • [File] Disable_win_defender.bat – context: batch script used to disable Defender settings
  • [Hash] d65fdeff64de39aecb66d54b9507dbda3a73b35d58311294d5867117e93e0b48 – context: MD5 for SDA-related payload
  • [Hash] 83e90e41f6fdf724781c664e06f8172ee3e5a142f147a7fe355d5bf741cabd75 – context: MD5 for DCRAT-related file
  • [Hash] c4c8ef548db152990df000a2f759405b2b76ac078f1d34797a0e73b959fd9839 – context: additional SDA payload hash
  • [Domain] gthub.org – context: fake domain hosting the SDA ZIP
  • [Domain] glthub.org – context: fake domain hosting the SDA ZIP
  • [Domain] gllthub.com – context: fake domain hosting the SDA ZIP
  • [Domain] steamdesktopauthenticator.net – context: spoofed SDA domain
  • [Domain] steamdesktopauthenticator.org – context: spoofed SDA domain
  • [Domain] steamdesktopauthenticator.ru – context: spoofed SDA domain

Read more: https://blog.bushidotoken.net/2023/05/fake-steam-desktop-authenticator-app.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint