A variant of the Ramnit financial malware is using local Web browser injections in order to steal log-in credentials for Steam accounts, researchers said.
Ramnit is a computer worm first discovered in 2010 that spreads by infecting executable, HTML and Microsoft Office files on the local computer, said researchers from security firm Trusteer.
While in the past it targeted the financial industry, it is now branching out into other industries, researchers said.
The malware can steal browser cookies and FTP (File Transfer Protocol) credentials stored locally, but it also hooks the browser process in order to modify Web forms and inject rogue code into Web pages, a technique known as a man-in-the-browser (MitB) attack.
The MitB functionality is a common tool used by financial malware to trick online banking users into exposing their personal and financial information as well as their online banking credentials.
This new Ramnit variant targets users of Steam, one of the largest digital distribution and online multiplayer platforms for computer games, said Trusteer researchers.
The Ramnit attack circumvents the client-side encryption used for the log-in form fields and can defeat attack detection systems that might run on the server, said Etay Maor, fraud prevention manager at Trusteer.
Cybercriminals targeted Steam accounts by using key-logging malware and phishing attacks before. However, Ramnit uses more advanced techniques like Web injection to steal log-in credentials when users sign into the Steam Community site from an infected computer.
According to Maor, when a user accesses the Steam Community log-in page and enters his or her username and password, the form ends up encrypted using the site’s public key. To overcome this, Ramnit modifies the form in a way that allows it to capture the password in plain text.
The user isn’t able to tell that anything is wrong, because nothing changes on the log-in page.
Unlike HTML injections that alter the screen the user is familiar with, this injection keeps the screen as is, Maor said. However, in the background, the encrypted “password” field ends up replaced with a non-encrypted field.
When the user fills in the form and submits it, the malware intercepts the request, reads the data from the non-encrypted field and deletes the field before sending the request to the Steam Web server. Maor said this can hide the attack from security software that scans for unusual form elements in order to detect malware injections.
In the past, Ramnit has mainly targeted banks, but Trusteer researchers have already seen it used to target customers of non-banking institutions, organizations and services, Maor said. “It all depends on what the operator wants to achieve; it is a sophisticated tool that can be used for multiple targets regardless of their orientation.”