Or maybe not.
To users looking for keygens for their Steam games, read on: we found something that will make you think twice and probably leave you steering clear of key generators forever.
Here’s the tip off. Visiting any of the three website addresses flashed on the above YouTube clip (Note: still live) leads to public portals where the purported keygen, steam Game Key Generator.exe, can be downloaded.
After running the file, users will not see any visible activities on their desktops. In the background, however, steam Game Key Generator.exe installs 7.0.1428.crx, a Google Chrome extension file found to be a Trojan spyware, that is hosted on theonlyone(dot)goodluckwith(dot)us. This .CRX file is then installed onto Chrome upon user consent.
This particular extension disguises itself as the legitimate browser plugin, avast! WebRep, a website rating tool of security software company, AVAST Software. The individual or group behind the said plugin used such an approach to hide the file’s malicious activities from unsuspecting users.
Below are our technical findings regarding this Trojan spyware:
This fake plugin executes two JS files contained in itself: webProtection.js and background, js.
Using webProtection.js, it looks out for the following strings, which are notably related to online games/gaming and email accounts, in domains the user is currently visiting:
It closely monitors the gameforge and google strings, as it is found to save the domain and log-out pages of websites containing such strings into a cookie.
Using background, js, it then sends this cookie to theonlyone(dot)goodluckwith(dot)us/request(dot)php?, including information on Chrome browser versions users are running. To save and retrieve information to and from cookies, this spyware uses the non-existent site, hochgmaoldgcdkfolpcifkifhpibhmmh(dot)com.
This fake plugin is set to get updates from theonlyone(dot)goodluckwith(dot)us/update.xml.
We are fortunate enough to also retrieve the updated version of this .CRX file, which is version 7.0.1429. On top of routines I have listed above, this has the following new ones:
- It monitors YouTube connections using the string youtu.
- If a connection is detected, it “auto-likes” the specific videos with the following IDs: Uj_FeciQWcg, xrnJe5FyEek, cjv-jYuuSp4.
Author: Jovi Umawing, Communications and Research Analyst in the GFI Security Labs in the Philippines.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.