Full Report
I recently came across an interesting campaign that is using fake websites to distribute malware. Although this TTP is not new, it seems to be on the rise. Anecdotally, I've seen it in multiple cases in 2023 more so than before. It's difficult to quantify without doing extensive research, it is something for other analysts to be aware of more at least. A suspected Russia-based cybercriminal decided to clone the website of a legitimate open-source desktop app (see here) called Steam Desktop Authenticator (SDA) which is simply a convenient desktop version of the mobile authenticator app. However, for that convenience, there is a price - impersonation scams and account hijacking. The GitHub repo of the SDA app also has a warning to other about the fake versions floating around.Figure 1: Warning from the real Steam Desktop Authenticator siteThe threat actors distributing the fake version of SDA use two techniques that are effective when paired together: Site Cloning and Typosquatting.Site Cloning involves copying all of the HTML, CSS, JavaScript, PHP, etc, code from one website and re-hosting it on your own web server. It therefore looks the same and acts the same. All the buttons on that site also work as the original one does and will redirect you from the fake site to the other pages on the real site.Typosquatting involves registering similar lookalike domains to the target. Therefore, when a user visits the site or is presented with a URL, they then have to be consciously paying attention to the domain in the URL to notice it is not the original one, e.g., github.com. Figure 2: The fake clone version of the Steam Desktop Authenticator siteIf a user visits the fake version of the site then they can download a 135.08 MB ZIP file of the "SDA-1.0.10.zip" app, which I've added to VT already here: VirusTotal - File - 132985696e0932e068afc7c8c93c9f67565e12434eb860d504413e948a06d3fbHere is an example of the malicious version of the Steam Desktop Authenticator.exe inside one of these ZIPs VirusTotal - File - d65fdeff64de39aecb66d54b9507dbda3a73b35d58311294d5867117e93e0b48If executed, we can see a process tree involving multiple malicious Commands (using a .BAT script) that ultimately disables Windows Defender and runs DCRAT.Figure 3: Malicious SDA app process treeeThe Batch script "Disable_win_defender.bat" does what it says on the tin really. Added to VirusTotal here: VirusTotal - File - eb8ece6e556186008fd841095441a97406793a5611a2a6d9f50182fe649d8047In short, it modifies registry keys to disable Defender Policies, deletes the Run key, and kills the SecurityHealthService.exe running process.Figure 4: Batch Script to disable Windows DefenderThe final step and main aim of this fake app is the delivery of the DarkCrystal RAT (aka DCRAT). Added to VirusTotal here: VirusTotal - File - 83e90e41f6fdf724781c664e06f8172ee3e5a142f147a7fe355d5bf741cabd75Additional context on DCRAT is available from BlackBerry (see here). In short, it's a commodity crimeware tool offered on various underground forums and Telegram channels, that can be bought and deployed by any aspiring cybercriminal. Infrastructure AnalysisThe three URLs I found related to this campaign all use the same technique to pose as the SDA app:hxxps://gthub[.]org/Jessecar96/SteamDesktopAuthenticator/releases/download/1.0.10/SDA-1.0.10.ziphxxp://glthub[.]org/jessecar96/steamdesktopauthenticator/releases/download/1.0.10/sda-1.0.10.ziphxxps://gllthub[.]com/Jessecar96/SteamDesktopAuthenticator/releases/download/1.0.10/sda-1.0.10.zipThe registrars, available registrant data, and AS of these domains and other related to this campaign are as follows:gthub[.]orgRegistrar: REG.RU LLCCreated on 2021-11-26AS13335 CLOUDFLARENEThttps://urlscan.io/result/08832cc7-c855-4d33-b707-4720552c5c9e/glthub[.]orgRegistrar: GoDaddy LLCCreated on 2021-11-26AS13335 CLOUDFLARENEThttps://urlscan.io/result/860ae730-65ff-4fe2-8127-c5dccda9400e/gllthub[.]comRegistrar: REG.RURegistrant: Maksim Erasov | [email protected] Created on 2023-02-27AS13335 CLOUDFLARENEThttps://urlscan.io/result/fce3d43a-dbaf-4d89-892b-9ee0f477448e/steamdesktopauthenticator[.]netRegistrar: REG.RURegistrant: Artyom Mihaylov | [email protected] Created on 2023-02-21AS13335 CLOUDFLARENEThttps://urlscan.io/result/91e512e9-0b12-4778-a3cc-1e16e93cb47f/steamdesktopauthenticator[.]orgRegistrar: REG.RU Created on 2023-02-26AS13335 CLOUDFLARENEThttps://urlscan.io/result/d2397e76-57dc-495c-b122-824afad5cc93/steamauthenticator[.]net Registrar: REG.RU Registrant: Petr Abramov | [email protected] on 2022-02-25AS13335 CLOUDFLARENEThttps://urlscan.io/result/46ddf176-8131-4033-8b90-85542b362389/steamdesktopauthenticator[.]ruRegistrar: REG.RU Created on 2022-09-06AS13335 CLOUDFLARENEThttps://urlscan.io/result/96db56a5-bafc-4481-98ba-443ebfe16d9f/Indicators of CompromiseSteam Desktop Authenticator.exed65fdeff64de39aecb66d54b9507dbda3a73b35d58311294d5867117e93e0b48d65fdeff64de39aecb66d54b9507dbda3a73b35d58311294d5867117e93e0b48c4c8ef548db152990df000a2f759405b2b76ac078f1d34797a0e73b959fd9839c098f6faf6b96b47d13e716f31f01b6dfc50cf900bec41db4c6b924b9f8dd38b2ff83f329fb099b7ad4e8ba3e00c4dc076249629d6351cbde64abf566119286a2439e397f7004d283cd665723c52ae0c37a7945767e26cc3cad6f227f77e5de6f5222b6a69fd7855603d7186ca203e892783ee8b7418268065e58465028fc750ad3bf4b59f06e3b22d21beaecff16fa7033517e5b563d98f8eb8537e9ecaf81445dc2cded5af3330e4431c4ba0024c9f95043ba10b0be4cbadc39ae2627073d49a8b8ce801abc9bd32756c8c26975014a164363df11aafea082b15f83a024ec6ca105bf5f645fe7ef2eb9b2a1a65bd40311263bd8c8d312dd639faff2795b37c6b77f4c7b0d52054e7eaecb146112364c9813b0d780641ff0e688ee814c245e8de284b2aee31d0d97d498fc8c331629e0d86a1143a813707e10787a4965a9147d34ad66798bfd506ce4826b702225ef05cf76e609f144f3f3e51a0b0f5ec4385ca8d61ceb3a84462db8188323c460a142e579850b7dbdbac588d5437098d773524651012ee2b948702d094f6bc53d23eb47fda1be535f3f168eeb4b5e249d7c1d99138831a9b3b8c0062d0d16381af10ab73f3eb27a4814158bfc89e2e220dd1d567bb8aa23cdd500199d25604d2d1e37353f02316ecc9fabb3711aad145affccae9404a614a69bd5a3d52e57968d0c1a5ed9da0b1f9e5069c49e1bb0af02dd77fb3a5bc2a1d9d96f1f998d15cad23b8ad9121de1569fe91491a70494353625cc35611bc612a372acd517fc027ebdad40c794179b6f845661c0c861344a7a3fdDisable_win_defender.bateb8ece6e556186008fd841095441a97406793a5611a2a6d9f50182fe649d8047DCRatBuild.exe83e90e41f6fdf724781c664e06f8172ee3e5a142f147a7fe355d5bf741cabd75VirusTotal - CollectionsAlienVault - Open Threat Exchange
Analysis Summary
# Tool/Technique: DarkCrystal RAT (DCRAT) via Fake Steam Desktop Authenticator
## Overview
This campaign involves a threat actor distributing the DarkCrystal RAT (DCRAT) by cloning the website of a legitimate open-source application, Steam Desktop Authenticator (SDA). The delivery mechanism relies on social engineering techniques like Site Cloning and Typosquatting to trick users into downloading and executing a malicious package.
## Technical Details
- Type: Malware family (Remote Access Trojan)
- Platform: Windows (implied by disabling Windows Defender and use of .BAT scripts)
- Capabilities: Remote code execution, system persistence, disabling security controls (Windows Defender), information theft (implied by RAT functionality).
- First Seen: Context suggests recent activity in 2023.
## MITRE ATT&CK Mapping
This summary focuses on the delivery and execution phases observed:
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Via visiting a compromised/cloned website)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools (Disabling Windows Defender)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Implied DCRAT C2)
## Functionality
### Core Capabilities
- **Initial Deployment:** Delivered via an installer disguised as the Steam Desktop Authenticator (`SDA-1.0.10.zip` containing `Steam Desktop Authenticator.exe`).
- **Security Disablement:** Executes a Batch script (`Disable_win_defender.bat`) to hinder security monitoring.
- **MALWARE EXECUTION:** Launches the DarkCrystal RAT (DCRAT) after disabling defenses.
### Advanced Features
- **Windows Defender Disablement:** The Batch script actively modifies registry keys related to Defender Policies, deletes the Run key (potential persistence cleanup/disruption), and terminates the `SecurityHealthService.exe` process.
- **DCRAT Payload:** Utilizes the commodity crimeware tool DCRAT for persistent remote access and control.
## Indicators of Compromise
- File Hashes:
- Infection package (ZIP): `132985696e0932e068afc7c8c93c9f67565e12434eb860d504413e948a06d3fb` (Not explicitly named, but associated with the ZIP)
- Malicious EXE: `d65fdeff64de39aecb66d54b9507dbda3a73b35d58311294d5867117e93e0b48`
- Disable Script: `eb8ece6e556186008fd841095441a97406793a5611a2a6d9f50182fe649d8047`
- DCRAT Payload: `83e90e41f6fdf724781c664e06f8172ee3e5a142f147a7fe355d5bf741cabd75`
- File Names:
- `SDA-1.0.10.zip`
- `Steam Desktop Authenticator.exe`
- `Disable_win_defender.bat`
- Registry Keys: Modified keys related to Defender Policies (specific keys not listed, only described as modification).
- Network Indicators: (None explicitly provided/defanged in the context for DCRAT C2)
- Behavioral Indicators:
- Execution chain involving a BAT script launching an EXE.
- Process termination of `SecurityHealthService.exe`.
- Modification of system security settings (Windows Defender).
## Associated Threat Actors
- Suspected Russia-based cybercriminal (Attribution is speculative based on the analyst note).
## Detection Methods
- Signature-based detection: Using hashes of the identified files.
- Behavioral detection: Monitoring for processes disabling Windows Defender services or modifying related registry paths.
- YARA rules: (Not provided in the source text).
## Mitigation Strategies
- **Prevention:** Users should only download software from official, verified sources (e.g., checking the URL domain carefully, avoiding typosquatted links).
- **Hardening Recommendations:** Ensure robust endpoint detection and response (EDR) solutions are in place to monitor process injection and security control modifications. Regularly update security definitions to detect known commodity RATs like DCRAT.
## Related Tools/Techniques
- **Techniques:** Site Cloning, Typosquatting.
- **Malware/Tools:** DarkCrystal RAT (DCRAT) - A known commodity crimeware tool.