It has come to our attention that a seemingly friendly comment being posted to Steam profiles about an invitation to be part of a prestigious league in eSports under the ESEA League can lead to malware infection.

steam-comment

Hey dude, don't know if you know the esea league(esea.net, E-Sports Entertainment) already, but if you want to play some good games with nice people and win some cash you should give it a try. The only stupid thing is that you need to pay premium to play in that League. If you want to test it out, here is a guide which explains how you get it for free. No 
crap, just a txt guide ;)

http://www30[dot]zippyshare[dot]com/v/10457648/file[dot]html

The message is vague and quite confusing if you look at it closely. It wasn’t made clear what this “it” the sender is talking about until the recipient visits and opens the OpenDocument (.odt) file hosted on ZippyShare. It reads as follows:

This tool is for testing esea purposes only, if you decide to use it

I take no responsibility at all for it.

What does it actually do?
The crack itself bypasses the payment check in the code, therefore you are able to login without paying.

How to setup
   * Download the crack - download link here: {link redacted} (6mb)
   * Run the setup, and follow the steps
   * Go to http://www.play.esea.net/ and register
   * Login on the crack
Purported ESEA GUICommon errors
The setup is not working, it doesn’t open?
   * Run it as an administrator
   * Disable antivirus, run the setup and enable it.
   * is it .zip filed? unzip it!

At this point, the recipient should be hearing something wailing loudly in their head.

In May of 2013, the ESEA eSports Entertainment was involved in a fiasco wherein their client, a legitimate software they encouraged gamers to download and install on their systems to watch out for cheaters, was also found capable of mining Bitcoins. However, the file we’re talking about here is not the same as the one mentioned in the NBC news link.

The document refers to a file called ESEACrack.zip, which contains 22 files, including the executable installer (ESEACrack.exe) and its copy (uninstall.exe). Static analysis has revealed that once this file or its copy is executed, it sends a GET request to retrieve information from the affected user’s Steam profile. In this case, the malware retrieves from the following pages:

  • affected user’s profile
  • list of friends
  • inventory of items for the games Defense of Ancients (DotA) 2 Counter-Strike: Global Offense (CS:GO)
  • inventory of non-game specific items, such as cards, background images, emoticons, and gifted games

Malwarebytes Anti-Malware users are protected from this malicious file. We detect it as Trojan.MSIL.INJ.

It’s difficult to determine when the first spam comments have surfaced in Steam profiles, but a quick search on Google reveals that this campaign has been active around September and continues on until the later days of December last year—the period when Season 17 of competitive gaming in ESEA was in full swing and Season 18 registration was already open.

We have yet to see fresh posts surface this month. However, we found a Reddit entry posted by user grAND1337 in May wherein he narrates his personal encounter with a scammer using a similar ESEA lure.

While we’re on the subject of cracks, we’ve seen some supposed “multihacking” tools for the games CS:GO and TF2. Malwarebytes also detect these as Trojan.MSIL.INJ.

Scammers will use any kind of ruse to pique the interests of their targets. Although some may be less convincing than others, Steam users are advised to treat any or all forms of actionable invitation from friends, whether via chat, profile comment, or item trade, with much scrutiny. If and when a friend is observed spamming, it helps to give them a heads up to change their account password.

With the ongoing seasons of competitive eSports and its ever-growing popularity, expect similar threats appearing on Steam in the future.

Jovi Umawing (Thanks to Joshua Cannell for the assist)