*SteamStealer Trojan* CSGO Simple External ESP

[[MPGH]master131]

The aforementioned thread, "CSGO Simple External ESP v1.0 By Synconan" was approved but appeared to be actually malicious. It is estimated that over 800 users downloaded and potentially ran the file without realising they may have been infected with a SteamStealer trojan.

The trojan was hidden under many layers of code making it hard to detect. It operates by decrypting these layers and then injecting the trojan into the original "CSGO ESP.exe" process.

The trojan operates by scanning Steam.exe for your Steam ID and initiating a hidden trade by trading items belonging to the following game IDs:
- 730 (Counter-Strike: Global Offensive)
- 570 (Dota 2, looks for items with these tags: common, uncommon, rare, mythical, legendary, immortal, arcana)
- 440 (Team Fortress 2)

It sends the items to the following Steam ID: 76561198136701777. Resolving this ID produces the following Steam profile page:
https://steamcommunity.com/id/synconan/

His IP's are 58.173.1.145 and 82.8.41.117 for anyone that wants revenge.

The process does appear to be "persistent" meaning that works to ensure that it keeps running no matter what you do. It does this by continuing to restart the process whenever one is closed and sets a registry key on startup called "Multimedia Class Scheduler". It is found at the following location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Run\M ultimedia Class Scheduler

Once solution suggested by @UnfairestB to combat the persistent nature of the trojan is the following:

Code:

Once the 'atiesrx.exe' pops up:
-Start task manager.
-Find "atiesrx.exe" in the list and right click it > Properties > Security tab > Edit... > Deny everything, on all accounts in the list above (if possible).
-Now apply your changes and press Ok.
-Go back to your task manager and right click "atiesrx.exe" once again > End process tree.
-Once the process is terminated it should not come back.

After the process is successfully killed along with "CSGO ESP.exe", delete the startup entry from the registry.

On behalf of MPGH Staff, I would like to apologise for what has occurred despite not being directly involved the the situation and will try my best to help those affected. I have not personally run the file myself but this is what I could gather purely from static analysis.

[Airule]

Thank you!

[Color]

I would also like to apologize on my behalf for approving the file, apparently I had not taken a look at the file at the best of my abilities. I sincerely am sorry and I hope that you all may forgive me one day.
//Stickied

I will leave the thread open to all of those who need questions answered by Master131 or other members.

[Doctor Fetus]

I would also like to apologize on my behalf for approving the file, apparently I had not taken a look at the file at the best of my abilities. I sincerely am sorry and I hope that you all may forgive me one day. As for me this will be my last moderation as minion since I can't forgive myself for approving a file that's infected so many people.

//Stickied

I will leave the thread open to all of those who need questions answered by Master131 or other members.

obviesly no one could stay mad at the one who aproves liek most of the files. i wish u could forgive urself

[Doctor Fetus]

btw how can i fix this cuz i downloaded it a while ago

[unholy1096]

I would also like to apologize on my behalf for approving the file, apparently I had not taken a look at the file at the best of my abilities. I sincerely am sorry and I hope that you all may forgive me one day. As for me this will be my last moderation as minion since I can't forgive myself for approving a file that's infected so many people.

Color, you're only human.. You really can't blame yourself for something like this. Shit happens sometimes and ultimatley we can't stay stuck in the past and think of "What if I did this instead" but instead think of what YOU can do in the future to prevent something like this happening again.

[Kieeeeeran]

Thank you, kind sir. This was really a lot of help !

[Polygon]

Isn't this the second time that this has happend?

[Bayley_LOL]

Isn't this the second time that this has happend?

Yes, this has happened before.

[Quentlor]

Since turb0z "left" every hack released thus far was either fake or complete shit. Anyways, @Color, dont blame yourself, everyone makes mistakes.

[Bayley_LOL]

Since turb0z "left" every hack released thus far was either fake or complete shit. Anyways, @Color, dont blame yourself, everyone makes mistakes.

Thanks mate, appreciate it.

In other words, fuck you.

[Quentlor]

Thanks mate, appreciate it.

In other words, fuck you.

You are welcome!

[232]

I would also like to apologize on my behalf for approving the file, apparently I had not taken a look at the file at the best of my abilities. I sincerely am sorry and I hope that you all may forgive me one day. As for me this will be my last moderation as minion since I can't forgive myself for approving a file that's infected so many people.

//Stickied

I will leave the thread open to all of those who need questions answered by Master131 or other members.

I don't think you should leave over such thing, it's just, I think we'd prefer you'd download and run the hack through Sandboxie and see whether these hacks are legit. I know it's effort, which is why I do it myself when I download hacks, just in case it decides to run some other bullshit on my PC. Also, you should make a sticky which shows a guide which shows a user how to block the program from editing anything in the SYSTEM. Regarding the hack, I disabled the access the hack had on my PC, which minimalised what the hack could do. Disabled the 'rights' the program had to SYSTEM

[Glugnie]

Sooo... Should I change my password?

[exsunny]

ehmm... ive a process called atiersxx.exe so with 2 x`s, is this the same or not ?