We have been alerted to a recent Steam scam, thanks to one gamer who is quick to inform her friends in the gaming platform's Activity feed about her encounter with a suspected bot account.
Gamer Patrizza Vampizza has posted the below screenshot as a form of warning for this current modus operandi:
Hey! We had a competition in the group pressureskin! Prizes - [URL]"Pressure" Skin is actually quite a popular group on Steam with members numbering to thousands. Like Patricia, it appears that others within the group have received the same messages but from different private accounts. They may indeed be bots, but it's possible that they are also compromised accounts currently being used to spread the malicious link via Steam chat.
You have been selected one of 10 random winners!
Choose any 5 item from the list on the screen!!
When users click the URL on the spam message, which is ptrnscr[DOT]su/jE8j3L/, they are directed to this page and the file, Screenshot_3.scr (MD5 FCA73DC665FF51022A7291B76B554809), is automatically downloaded from the Box file-sharing site account:
The blue squiggles you see are part of the image.
Once executed, affected users won't see anything happening on their desktop as much of the action occurs at the background. They won't see Screenshot_3.scr reading information about the system; or dropping several files, two of them malicious; or preventing the system from prompting messages to them due to errors; or connecting to an IP address in Russia via a port normally used by the DarkComet RAT (though despite that similarity, Screenshot_3.scr is actually a NanoCore RAT - thanks, MalwareHunterTeam!) As such, it's not really a very new tactic; however, it is a tactic hardly known to most users.
If you want to read more of the technical stuff about this Screenshot_3.scr, you can go to this Hybrid Analysis page.
Malwarebytes Anti-Malware detects the malicious .scr file, and users are also protected from accessing the download site.
We have been featuring Steam malware distributed via chat for quite a while now. Yet, we continue to see users fall for the same tactic. To date, more than 1,500 have clicked ptrnscr[DOT]su/jE8j3L/, thinking that it is actually sent to them by a fellow Steam member. Below is a geographical breakdown of these clicks, courtesy of Bitly:
For those who think they have been hacked, please change your password and we encourage you to tell your Steam friends about your experience.