Windows users are currently at risk from a sophisticated backdoor malware campaign that is weaponizing a legitimate open-source utility known as SteamCleaner. This malicious operation leverages a compromised version of the Steam cleanup tool to establish persistent access to infected systems, allowing attackers to execute remote commands and potentially steal sensitive data.
The threat actors have disguised their malware as a downloadable package from fraudulent websites, often masquerading as illegal software repositories. Users seeking cracked software or key generators are being lured into downloading a malicious installer that appears legitimate due to a valid digital certificate. Security researchers warn that this campaign poses a significant threat to individuals who may not scrutinize the source of their software downloads.
Malicious Steam Cleaner Attack Deploys Backdoor Malware
The ongoing malicious Steam Cleaner attack targets Windows machines by distributing a compromised version of the legitimate SteamCleaner utility. This open-source tool, designed to remove junk files from the Steam gaming platform, has not been updated since September 2018. The attackers have injected malicious code into the original source and are now distributing this weaponized version through unofficial channels.
According to ASEC security researchers, the malware is delivered as a 4.66MB executable file named Setup.exe. Crucially, this malicious installer is signed with a valid digital certificate from Taiyuan Jiankang Technology Co., Ltd. This certificate lends a false sense of legitimacy to the package, enabling it to bypass initial security checks by antivirus software and users alike.
Once executed, the malware installs itself in the C:Program FilesSteam Cleaner directory. It then deploys several components, including the Steam Cleaner executable itself (Steam Cleaner.exe), configuration files, and various batch scripts. The inclusion of these components ensures the malware can operate and maintain its presence on the compromised system without immediate detection.
Sophisticated Evasion Tactics and Payload Delivery
The attackers have incorporated sophisticated anti-sandbox detection mechanisms into the weaponized SteamCleaner. The malware performs extensive environmental checks, analyzing system information, enumerating network ports, querying WMI (Windows Management Instrumentation), and monitoring running processes. If the malware detects that it is running within a sandboxed environment, it will only execute the legitimate cleaning functionalities of SteamCleaner, thereby avoiding the activation of its malicious payload.
The payload delivery mechanism relies on encrypted PowerShell commands embedded within the malware. These commands are designed to orchestrate the installation of Node.js on the victim’s system. Following the installation of Node.js, the malware proceeds to download two distinct malicious scripts from separate command-and-control (C2) infrastructures. These scripts are then registered with the Windows Task Scheduler to ensure persistence, launching automatically at system startup and repeating their execution every hour.
Command-and-Control Communication Protocol
The two Node.js scripts, established by the malicious Steam Cleaner campaign, create persistent, bidirectional communication channels with their respective C2 servers. This communication is facilitated through structured JSON payloads, enabling the attackers to send commands and receive execution results. When initially connecting to the C2 infrastructure, the malware transmits comprehensive system reconnaissance data. This includes details such as the operating system type and version, hostname, system architecture, and a unique machine identifier derived from the device’s GUID.
The first script, located at C:WCM{UUID}UUID and registered under the task name Microsoft/Windows/WCM/WiFiSpeedScheduler, connects to multiple C2 domains. These domains include rt-guard[.]com, 4tressx[.]com, kuchiku[.]digital, and screenner[.]com. This particular script is responsible for downloading files from attacker-specified URLs and executing them using CMD or PowerShell processes, offering the attackers a flexible method for delivering further malicious content or tools.
The second script operates from C:WindowsSetting{UUID}UUID, with the task name Microsoft/Windows/Diagnosis/Recommended DiagnosisScheduler. This variant communicates with the C2 domain aginscore[.]com. It employs more aggressive obfuscation techniques and directly executes commands through Node.js’s native shell execution function. The C2 communication for this script uses two primary endpoints: /d for receiving commands from the attackers and /e for transmitting the results of executed commands back to the C2 servers. The continued development and dissemination of such malware highlight the ongoing need for robust cybersecurity measures and user awareness.