Trusteer’s security team recently identified a new configuration of the Ramnit malware that uses HTML injection to target Steam, which is the largest digital distribution platform for online gaming. In this attack Ramnit successfully circumvents the site’s password encryption while defeating server side detection of the attack.
With an estimated 50-70% market share, more than 2,000 titles and over 54 million active users, Steam is a perfect target for malware attacks. This is not the first time that Steam has been targeted by cybercriminals – phishing attacks and credentials stealing malware have been targeting Steam users for several years now. However, Ramnit uses much more advanced techniques to collect data as well as evade detection.
Trusteer’s security team identified the following code in Ramnit’s configuration file:
When a user accesses the steam community login page and enters his/her username and password, the form is encrypted using the site’s public key. To overcome this client side encryption, Ramnit injects a request for the password which allows it to capture the data in plain text. The injection of this element, denoted as pwd2, can be seen in the second part of the code shown above:
While this simple technique is good for overcoming the client side encryption, it also raises an issue – Steam’s server is not expecting to receive this new element (pwd2) when the form is submitted. In fact, some security solutions detect MitB malware by looking for forms with injected elements. For example, if a form with a username and password is filled out by the user and sent to the website, the security product will scan to look for unknown elements that may indicate HTML injection malware. If the form arrives at the website with a username, password and credit card number – this will trigger an alarm indicating the user was a victim of a MitB attack.
To avoid detection, Ramnit simply makes sure the server never sees the injection. To do so, prior to the form being sent to the website, Ramnit removes the injected element. This can be observed in the first part of the code:
One might ask: why do cybercriminals go through all the trouble of injecting an element and then removing it when they can simply collect the data using Ramnit’s key-logging capability? The answer is simple: by using form grabbing, the cybercriminal can easily index the collected data. When a key-logger is used, there is no indication of which characters are the username, which are the password and which ones are just irrelevant keystrokes – instead someone needs to manually separate the wheat from the chaff.
Author: Etay Maor, fraud prevention manager at Trusteer.