Man
Professional
- Messages
- 3,222
- Reaction score
- 978
- Points
- 113
The malware goes global, attacking users in 10 countries.
The new SteelFox malware package is being distributed through forums and torrent trackers, offering users to illegally activate programs such as Foxit PDF Editor, JetBrains, and AutoCAD. SteelFox not only mines the Monero cryptocurrency, but also steals credit card data using vulnerable drivers to escalate privileges on Windows systems.
SteelFox, identified in August by researchers from Kaspersky Lab, appeared back in February 2023, but now its active distribution has noticeably increased. In recent months, the company's products have detected and blocked more than 11,000 attempts to infect this software.
SteelFox uses the BYOVD technique, which was previously common in the actions of state-sponsored cybercriminals, as well as extortion groups. In this case, the malware exploits CVE-2020-14979 (CVSS: 7.8) and CVE-2021-41285 (CVSS 7.8) vulnerabilities to gain the maximum level of NT/SYSTEM privileges on the infected system.
After obtaining admin rights, SteelFox creates a service to run the «WinRing0.sys" driver, providing itself with full control over the system. This driver is also used for cryptomining due to the built-in support of the XMRig program. SteelFox uses SSL pinning and TLS 1.3 to communicate with the C&C server, which makes data interception difficult.
In addition to cryptomining, SteelFox performs the function of stealing information, collecting data from 13 web browsers, as well as system and network information. Among the stolen data are credit cards, browsing history, and cookies, which poses a serious threat to user privacy.
SteelFox's management infrastructure relies on hidden domains whose addresses change periodically via Google Public DNS and DNS over HTTPS (DoH). Although this malicious software is not aimed at specific countries, Kaspersky Lab experts note its activity in Brazil, China, Russia, Mexico, the United Arab Emirates, Egypt, Algeria, Vietnam, India and Sri Lanka.
SteelFox, despite its recent activity, already demonstrates high functionality, which confirms the level of skill of the developer, who has integrated external libraries and advanced functions into the software.
Source
The new SteelFox malware package is being distributed through forums and torrent trackers, offering users to illegally activate programs such as Foxit PDF Editor, JetBrains, and AutoCAD. SteelFox not only mines the Monero cryptocurrency, but also steals credit card data using vulnerable drivers to escalate privileges on Windows systems.
SteelFox, identified in August by researchers from Kaspersky Lab, appeared back in February 2023, but now its active distribution has noticeably increased. In recent months, the company's products have detected and blocked more than 11,000 attempts to infect this software.
SteelFox uses the BYOVD technique, which was previously common in the actions of state-sponsored cybercriminals, as well as extortion groups. In this case, the malware exploits CVE-2020-14979 (CVSS: 7.8) and CVE-2021-41285 (CVSS 7.8) vulnerabilities to gain the maximum level of NT/SYSTEM privileges on the infected system.
After obtaining admin rights, SteelFox creates a service to run the «WinRing0.sys" driver, providing itself with full control over the system. This driver is also used for cryptomining due to the built-in support of the XMRig program. SteelFox uses SSL pinning and TLS 1.3 to communicate with the C&C server, which makes data interception difficult.
In addition to cryptomining, SteelFox performs the function of stealing information, collecting data from 13 web browsers, as well as system and network information. Among the stolen data are credit cards, browsing history, and cookies, which poses a serious threat to user privacy.
SteelFox's management infrastructure relies on hidden domains whose addresses change periodically via Google Public DNS and DNS over HTTPS (DoH). Although this malicious software is not aimed at specific countries, Kaspersky Lab experts note its activity in Brazil, China, Russia, Mexico, the United Arab Emirates, Egypt, Algeria, Vietnam, India and Sri Lanka.
SteelFox, despite its recent activity, already demonstrates high functionality, which confirms the level of skill of the developer, who has integrated external libraries and advanced functions into the software.
Source
