Today, we're going to look at a file served up from a fake Twitch blog (now offline) which was located at
Claiming to offer up an audio protocol for streamers , the "Audio fix" steals the targeted Twitch streamer's Stream key, passing it to the creator of the file.
The Stream key allows the person responsible for the malware to take ownership of the channel stream and send out whatever shock memes / images / videos they feel like to the assembled channel viewers.
By the time the original streamer has regained control, the Stream key stealer would likely have caused the viewers to have abandoned ship.
More often than not, potential victims would have to succumb to a spot of social engineering to hand it over (typically involving more than one person), but this sets the entry barrier at "Run this file, lol".
Here's the fake blog, made to look like an official Twitch page:
Titled "New audio protocol", the blog post says that you'll need to run a "Small BAT file" to "detect whether you have OBS and xSplit and proceed to patch it accordingly".
From the fake blog:
If your browser states that the file may be malicious, it is mostly due to the file format. We may fix these issues at a later date.
1. Download the file below, you can choose the .ZIP or .RAR 2. Extract the .ZIP or .RAR 3. Run the .EXE file within it 3.5 If Windows 8 presents the "SmartScreen" filter, click "More info" and "Run anyway" 4 Drink some lemonade while our Hotfix patches the necessary files 5 Restart your computer and get back to streaming Unfortunately, you may need something a little more useful than lemonade to regain control of your Twitch stream by the time the file has done its work.
The Twitch audio fix file is a C program written with the Python C API, which means it requires python libraries to run (version 3.4, in case you were wondering). It looks for library.zip, or python34.dll in order to run correctly. Without these, you'll just experience errors should you try to run it.
Errors would be a good thing for potential victims - there's no danger if it won't work, right? - except that everything including the library.zip and some dll files are bundled in with the Twitch Audio fix at download.
Here's the message from the terminal once the so-called Audio fix is fired up. It targets Twitch users logged into either Chrome or Firefox.
Error occurred while trying to get credentials, trying again
^ This message is displayed because the file is looking for logged-in Twitch credentials in Chrome (which wasn't open here while testing). Testing with Chrome open resulted in a crash, so it's possible that side of things may be broken.
Connecting to twitch servers (this may take a while) Verifying Twitch connection... Obtained Twitch settings Sending Twitch settings to the mainframe Twitch server, please wait
^ This is related to the altogether more successful attempt at lifting credentials from Firefox.
The error has been fixed on an account
^ The "error" is that your channel name wasn't what the file creators would like it to be. Hence, they've changed it for you:
Le Toucan has Arrived
Toucans? Well, the toucan landing in your chat stream is related to a popular ASCII meme in Twitch and other circles.
Here's the POST to twitch, bringing tidings of Toucans:
...and the response, letting you know that the change has been accepted:
It then makes a GET request for /kraken/channel?on_site=1 HTTP/1.1. The below shot contains the user email and stream key.
Below you can see the various bits and pieces of information going out via IRC:
Finally, here's the IP, city, hostname and other information showing in Fiddler:
Users of Malwarebytes Anti-Malware will find we detect the file as Trojan.Passwords.Twitch.
Twitch raids are extremely common, and many dubious files can be found floating around in Twitch chat channels. Many of them are fairly standard efforts (deleting files or spamming pornography websites) but this one has had a little more thought put into it.
Gamers making use of Twitch services should be careful around downloads in streaming land - as great as Toucans are, I'm not sure your gaming stream is the best place for them.
Christopher Boyd (Thanks to Joshua for additional research)