Overview of SteelFox Malware
A new malware, identified as SteelFox, is targeting Windows systems by exploiting vulnerable drivers to gain elevated privileges, which can ultimately lead to the theft of users’ credit card information.
According to reports from Bleeping Computer, SteelFox is distributed through forums and torrent sites, masquerading as a fake cracking tool. It often appears as an activator for legitimate software, including Foxit PDF Editor, JetBrains, and AutoCAD, which entices users to download it. Though discovered in August 2023, cybersecurity firm Kaspersky has traced the malware’s origins back to February 2023, noting its growing prevalence across various channels, including blogs and forum posts.
SteelFox employs a widely exploited technique via the WinRing0.sys driver, which has vulnerabilities that hacker groups can utilize. By leveraging these vulnerabilities—identified as CVE-2020-14979 and CVE-2021-41285—SteelFox can elevate access permissions to the NT/SYSTEM level, granting hackers unrestricted access to the device’s resources.
When users install these fake crack tools, they inadvertently grant administrative access, setting the stage for SteelFox to operate. Initially, the malware appears to be legitimate software. However, once the files are extracted, it installs additional malicious components, enabling the download of SteelFox itself.
Once administrative rights are acquired, SteelFox activates a service that runs WinRing0.sys. This driver is associated with XMRig, a Monero cryptocurrency mining software. Kaspersky researchers note that the XMRig variant within SteelFox has been modified to connect to a mining pool with pre-encrypted credentials, allowing it to utilize the victim’s system resources for cryptocurrency mining.
SteelFox utilizes a fixed Command and Control (C2) domain, yet attackers can obscure it by altering the IP address and utilizing Google’s public DNS or DNS over HTTPS (DoH), complicating malware tracking efforts.
In addition to its cryptocurrency mining capabilities, SteelFox integrates tools for data theft, collecting information from 13 different web browsers. This includes browsing history, cookies, and credit card information. The malware also gathers system details, network information, and data regarding remote connections (RDP). The collected information is transmitted securely to the hacker’s C2 server, employing SSL pinning and TLS v1.3 to avoid detection and interception.
Since its emergence, Kaspersky reports having blocked SteelFox over 11,000 times, although the actual number of infected devices may be significantly higher. Victims span various countries worldwide, with the malware primarily targeting users who download software like AutoCAD, JetBrains, and Foxit PDF Editor.
Despite being a recent discovery, SteelFox is recognized as a sophisticated malware package. Kaspersky attributes its development to a highly skilled expert in C++ programming, demonstrating a professional understanding of integrating external libraries into the malware.
To mitigate the risks associated with SteelFox and similar threats, experts recommend exercising caution when downloading free activation software from unofficial sources. Users are encouraged to use legitimate software and ensure their operating systems are regularly updated to enhance security.
