Contents:
A new malware named ‘SteelFox’ is actively used by threat actors to mine cryptocurrency and steal credit card data. The malware leverages the BYOVD (Bring Your Own Vulnerable Device) technique to obtain SYSTEM privileged on Windows machines.
SteelFox is distributed through forums and torrent trackers as a crack tool that activates legitimate versions of various software such as AutoCAD, Foxit PDF Editor, or JetBrains.
The malware was discovered in August but it is said to have been around since February 2023. From August until now over 10,000 SteelFox attack attempts were blocked.
How the SteelFox Infection Works
According to Kaspersky, the malware dropper comes with full instructions on how to activate the software. According to the researchers, users infect their systems with malware even though the dropper does contain the promised capability.
Adding the crack requires administrator access, which the malware employs later in the attack because the software that is being illegally activated is usually installed in the Program Files.
Researchers say that the execution chain looks legit until the final moment when the files are unpacked. They clarify that the procedure introduces a malicious function that affects the machine code that loads SteelFox.
After securing admin rights, SteelFox creates a service that runs WinRing0.sys inside, a driver vulnerable to CVE-2020-14979 and CVE-2021-41285, and that the malware uses to obtain privilege escalation to NT/SYSTEM level.
These rights grant unfettered access to any resource and process and are the strongest on a local system, surpassing those of an administrator.
According to BleepingComputer, the WinRing0.sys driver is also used for mining cryptocurrency, as it is part of the XMRig program used to mine Monero cryptocurrency.
The threat actors use a modified version of this miner executable that connects to a mining pool with hardcoded credentials.
The malware then uses TLS v1.3 and SSL pinning to connect to its command-and-control (C2) server, preventing communication from being intercepted. Besides this, it also activates the info-stealer component that extracts data from 13 web browsers, information about the system, network, and RDP connection.
Researchers also noted that SteelFox collects data such as credit cards data, browsing history, and cookies from browsers.
Even if SteelFox attacks do not have specific targets, it appears to focus on users of AutoCAD, JetBrains, and Foxit PDF Editor. From the data we have so far, it appears that the malware was used to compromise systems in Brazil, China, Russia, Mexico, India, Algeria, the UAE, Egypt, Vietnam and Sri Lanka.
The researchers claim that despite SteelFox’s recent inception, ‘it is a full-featured crimeware bundle’. The virus’s analysis reveals that its creator is proficient in C++ programming and that they were able to integrate external libraries to produce impressive malware.
If you liked this piece, you can find more on the blog. Follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.