Malicious Steam Cleanup Tool Targets Windows Users with Backdoor Malware
A sophisticated malware campaign has been identified, targeting Windows users through a compromised version of SteamCleaner, an open-source utility originally designed to remove unnecessary files from the Steam gaming platform. This malicious variant establishes persistent access to infected systems by deploying harmful Node.js scripts, enabling attackers to execute arbitrary commands remotely.
Exploitation of SteamCleaner
Cybercriminals have manipulated the legitimate SteamCleaner tool, which has not been updated since September 2018, by embedding malicious code into its original source. They distribute this altered version via fraudulent websites masquerading as repositories for pirated software. Users searching for cracked software or key generators are redirected to GitHub repositories hosting the malware, presented as a Setup.exe file.
Deceptive Digital Certification
The malicious installer is signed with a valid digital certificate from Taiyuan Jiankang Technology Co., Ltd., lending it an appearance of legitimacy. This 4.66MB package can bypass initial security checks due to its seemingly authentic certification.
Installation and Deployment
Upon execution, the malware installs itself in the C:\Program Files\Steam Cleaner\ directory, deploying multiple components, including Steam Cleaner.exe (3,472KB), configuration files, and batch scripts. Notably, the attackers have preserved the original SteamCleaner functionality while integrating sophisticated anti-sandbox detection mechanisms.
Anti-Sandbox Techniques
The malware conducts extensive environmental checks, such as system information analysis, port enumeration, WMI queries, and process monitoring. If it detects a sandboxed environment, it executes only the legitimate cleaning functions without triggering any malicious behavior, thereby evading detection.
Payload Delivery Mechanism
The malware utilizes encrypted PowerShell commands embedded within its code to orchestrate the installation of Node.js on the victim’s system. It then downloads two distinct malicious scripts from separate command-and-control (C2) servers. Both scripts are registered with the Windows Task Scheduler to ensure persistence, executing automatically at system startup and repeating every hour thereafter.
Command-and-Control Communication
The two Node.js scripts establish bidirectional communication channels with their respective C2 servers through structured JSON payloads. Upon connecting to the C2 infrastructure, the malware transmits comprehensive system reconnaissance data, including OS type and version, hostname, system architecture, and a unique machine identifier derived from the device GUID.
First Script Details
The first script, installed at C:\WCM{UUID}\UUID and registered as Microsoft/Windows/WCM/WiFiSpeedScheduler, connects to multiple C2 domains, including rt-guard[.]com, 4tressx[.]com, kuchiku[.]digital, and screenner[.]com. This script downloads files from attacker-specified URLs and executes them using CMD or PowerShell processes.
Second Script Details
The second script operates from C:\WindowsSetting{UUID}\UUID with the task name Microsoft/Windows/Diagnosis/Recommended DiagnosisScheduler, communicating with aginscore[.]com. This variant employs more aggressive obfuscation techniques and executes commands directly through Node.js’s native shell execution function.
Communication Endpoints
The C2 communication occurs through two primary endpoints: /d for receiving commands and /e for transmitting execution results.
Implications and Recommendations
This campaign underscores the evolving tactics of cybercriminals who exploit legitimate tools to distribute malware. Users are advised to download software only from official sources and to be cautious of software that requires administrative privileges or exhibits unusual behavior. Regularly updating security software and conducting system scans can help detect and mitigate such threats.
