Gamer Patrizza Vampizza has posted the below screenshot as a form of warning for this current modus operandi:
Hey! We had a competition in the group pressureskin! Prizes - [URL] You have been selected one of 10 random winners! Choose any 5 item from the list on the screen!!
“Pressure” Skin is actually quite a popular group on Steam with members numbering to thousands. Like Patricia, it appears that others within the group have received the same messages but from different private accounts. They may indeed be bots, but it’s possible that they are also compromised accounts currently being used to spread the malicious link via Steam chat.
When users click the URL on the spam message, which is ptrnscr[DOT]su/jE8j3L/, they are directed to this page and the file, Screenshot_3.scr (MD5 FCA73DC665FF51022A7291B76B554809), is automatically downloaded from the Box file-sharing site account:
On the desktop, this .src file looks like this (enlarged for better visibility):
The blue squiggles you see are part of the image.
Once executed, affected users won’t see anything happening on their desktop as much of the action occurs at the background. They won’t see Screenshot_3.scr reading information about the system; or dropping several files, two of them malicious; or preventing the system from prompting messages to them due to errors; or connecting to an IP address in Russia via a port normally used by the DarkComet RAT (though despite that similarity, Screenshot_3.scr is actually a NanoCore RAT – thanks, MalwareHunterTeam!) As such, it’s not really a very new tactic; however, it is a tactic hardly known to most users.
If you want to read more of the technical stuff about this Screenshot_3.scr, you can go to this Hybrid Analysis page.
Malwarebytes Anti-Malware detects the malicious .scr file, and users are also protected from accessing the download site.
We have been featuring Steam malware distributed via chat for quite a while now. Yet, we continue to see users fall for the same tactic. To date, more than 1,500 have clicked ptrnscr[DOT]su/jE8j3L/, thinking that it is actually sent to them by a fellow Steam member. Below is a geographical breakdown of these clicks, courtesy of Bitly:
Never click links from messages sent over your way, especially if it’s packaged as some sort of contest, without checking other sources of the message’s legitimacy. “Trust, but verify,” as they say, and we would be wise to do so. Furthermore, the Steam community must continue to look after yourselves and each other by reporting suspicious accounts to Steam and telling your friends about them.
For those who think they have been hacked, please change your password and we encourage you to tell your Steam friends about your experience.
- You Dirty RAT! Part 1 – DarkComet
- Steam Threats: What They Are and What You Can Do to Protect Your Account
- Steam IM Spam Leads to Fake Imgur Site, Malware
- Phony My Team Voice App Being Spread on Steam Chat
- Rogue .SCR File Links Circulating in Steam Chat