Fake Steam Desktop Authenticator App distributing DarkCrystal RAT
I recently came across an interesting campaign that is using fake websites to distribute malware. Although this TTP is not new, it seems to be on the rise. Anecdotally, I've seen it in multiple cases in 2023 more so than before. It's difficult to quantify without doing extensive research, it is something for other analysts to be aware of more at least. A suspected Russia-based cybercriminal decided to clone the website of a legitimate open-source desktop app (see here ) called Steam Desktop Authenticator (SDA) which is simply a convenient desktop version of the mobile authenticator app. However, for that convenience, there is a price - impersonation scams and account hijacking. The GitHub repo of the SDA app also has a warning to other about the fake versions floating around. Figure 1: Warning from the real Steam Desktop Authenticator site The threat actors distributing the fake version of SDA use two techniques that are effective when paired together: Site Cloning and Typo...