New SteelFox malware hijacks Windows PCs using vulnerable driver

New SteelFox malware hijacks Windows PCs using vulnerable driver

November 6, 2024 at 01:00PM

SteelFox is a newly discovered malware that mines cryptocurrency and steals credit card data by exploiting vulnerable drivers for SYSTEM privileges on Windows. Distributed as a crack tool via forums and torrents, it affects users of specific software like AutoCAD. Kaspersky reports significant detections, indicating its widespread impact since early 2023.

### Meeting Takeaways on SteelFox Malware

**Overview:**
– A new malware named **SteelFox** has been identified that combines cryptocurrency mining with credit card data theft, utilizing the “bring your own vulnerable driver” technique to gain SYSTEM privileges on Windows systems.

**Distribution Method:**
– SteelFox’s malware bundle is distributed through forums and torrent sites, disguised as a crack tool for activating legitimate software applications, specifically targeting **Foxit PDF Editor**, **JetBrains**, and **AutoCAD**.

**Malware Characteristics:**
– The technique of privilege escalation using vulnerable drivers is commonly used by state-sponsored actors and ransomware groups, now extended to info-stealing malware like SteelFox.
– Discovered by **Kaspersky** in August 2023, research indicates SteelFox has been active since **February 2023** with recognition of increased distribution across multiple platforms.
– Kaspersky has blocked **11,000 SteelFox attacks** to date.

**Operational Mechanism:**
– Infected posts provide step-by-step instructions for illegal software activation, leading users to inadvertently install the malware alongside the intended software.
– The malware achieves **administrator access** to exploit its privileges, allowing it to create a service running **WinRing0.sys**, a known vulnerable driver associated with cryptocurrency mining.

**Functionality:**
– The SteelFox malware includes an info-stealer component that targets data from 13 web browsers, capturing sensitive information like credit card details, browsing history, and cookies.
– It connects to a command-and-control (C2) server utilizing **SSL pinning** and **TLS v1.3** for secure communication.

**Target Audience and Regional Impact:**
– SteelFox does not target specific individuals but primarily affects users of the aforementioned applications.
– Compromised systems have been reported in countries including:
– Brazil
– China
– Russia
– Mexico
– UAE
– Egypt
– Algeria
– Vietnam
– India
– Sri Lanka

**Conclusion:**
– Despite being a recent emergence, SteelFox is categorized as a **full-featured crimeware bundle**, indicating a high level of sophistication in its design and functionality, potentially developed by a skilled programmer with extensive experience in C++.

**Action Items:**
– Continuous monitoring of threat vectors associated with SteelFox.
– Encouragement of users to avoid downloading software from untrusted sources and to maintain updated security measures to protect against such malware.

Full Article