# Hacked Steam accounts spreading Remote Access Trojan **[bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan](https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/)** By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) September 30, 2016 08:26 PM 8 [Yesterday, I stumbled on a post where a Reddit user named Haydaddict was alerting people](https://www.reddit.com/r/RocketLeague/comments/54xxrz/quinn_lobdell_hacked_on_steam_please_be_aware_if/?st=itq92thv&sh=d53ca0c1) about some hacked Steam accounts spreading malware. As I am always interested in new malware, I took a look to see what could be discovered. According to the post, the hacked accounts were being used to SPAM suspicious links using Steam chat. These chat messages would tell the recipient to go to videomeo.pw to watch a video. **Steam Chats** When the target went to the page, they would be greeted with a message stating that they needed to update Flash Player in order to watch the video. ----- **Fake Video Page** If a target downloads the installer and executes it, they will find that it does not appear to do anything. This is because the Flash Player installer is actually a Trojan that executes a PowerShell script called zaga.ps1, which will download a 7-zip archive, 7-zip extractor, and a CMD script from the zahr.pw server. **Zaga.ps1 PowerShell Script** ----- Once the files are downloaded, the PowerShell script will then launch the CMD file, which will extract the sharchivedmngr to the %AppData%\lappclimtfldr folderand configure Windows to automatically start the mcrtvclient.exe program when a user logs in. This [program is actually a renamed copy of the NetSupport Manager Remote Control Software.](http://www.netsupportmanager.com/) When the program is launched, it will connect to the NetSupport gateway at leyv.pw:11678 and await commands. This allows the attacker to remotely connect to the infected computer and take control over it. **NetManager Configuration File** For those who are concerned they are infected with this Steam Trojan, I suggest they check the %AppData% folder for the specified folders. ----- Furthermore, all users must be careful with what links they visit and what downloads they install. These days it is becoming more and more frequent for accounts to be hacked and then for attackers to use them to distribute malware. Stay vigilant, be careful, and make sure you have an antivirus software installed. ## Related Articles: [Hackers target Russian govt with fake Windows updates pushing RATs](https://www.bleepingcomputer.com/news/security/hackers-target-russian-govt-with-fake-windows-updates-pushing-rats/) [Ukraine supporters in Germany targeted with PowerShell RAT malware](https://www.bleepingcomputer.com/news/security/ukraine-supporters-in-germany-targeted-with-powershell-rat-malware/) [New stealthy Nerbian RAT malware spotted in ongoing attacks](https://www.bleepingcomputer.com/news/security/new-stealthy-nerbian-rat-malware-spotted-in-ongoing-attacks/) [New NetDooka malware spreads via poisoned search results](https://www.bleepingcomputer.com/news/security/new-netdooka-malware-spreads-via-poisoned-search-results/) [New Android banking malware remotely takes control of your device](https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/google/google-chrome-53-0-2785-143-m-fixes-remote-code-execution-vulnerabilities/) [Next Article](https://www.bleepingcomputer.com/news/security/cerber-ransomware-switches-to-a-random-extension-and-ends-database-processes/) ## Comments [Starkman - 5 years ago](https://www.bleepingcomputer.com/forums/u/830628/starkman/) Hey, thanks very much for the information. Much appreciated. ----- [blueicetwice - 5 years ago](https://www.bleepingcomputer.com/forums/u/835475/blueicetwice/) Thank you for the excellent piece, Mr Abrams! Also wishing you well in your bleeping lawsuit. [granada12 - 5 years ago](https://www.bleepingcomputer.com/forums/u/893853/granada12/) This is a new varient. Last year one of my steam friend send me a message with a link in it. But it was automated not remotely operated. Never you should have your information automatically fill in or saved. You never know he could send a great gift to him passing through your wallet. :p [Pugglerock - 5 years ago](https://www.bleepingcomputer.com/forums/u/978945/pugglerock/) It's where the two step authentication comes in handy. I have steam on my phone for Steam Guard, so if someone does unfortunately manage to get a hold of my details, they won't be able to log in without the code generated from my phone. ----- [granada12 - 5 years ago](https://www.bleepingcomputer.com/forums/u/893853/granada12/) "It's where the two step authentication comes in handy. I have steam on my phone for Steam Guard, so if someone does unfortunately manage to get a hold of my details, they won't be able to log in without the code generated from my phone. " True, i'm setup that way too. Very usefull. :-) [FilledWithHate - 5 years ago](https://www.bleepingcomputer.com/forums/u/1022205/filledwithhate/) I wonder if having set the "ExecutionPolicy" in PowerShell to "Restricted" would have helped. Windows 10 brilliantly comes WFO in that regard. I'm not advising anyone to do the same, but I ran "Set-ExecutionPolicy Restricted" and left it that way. [Daedalus_ - 5 years ago](https://www.bleepingcomputer.com/forums/u/1032190/daedalus/) What if I downloaded the installer on mobile but didn't run it? ----- [Lawrence Abrams - 5 years ago](https://www.bleepingcomputer.com/author/lawrence-abrams/) Then you are fine. Malware cannot hurt you unless its executed in some way. [Post a Comment Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ## You may also like: -----