Advanced Malware SteelFox Uses Windows Vulnerabilities for System Access
Threat Group: Unknown
Threat Type: Crimeware Bundle (Information Stealer and Cryptominer)
Exploited Vulnerabilities: CVE-2020-14979, CVE-2021-41285
Malware Used: SteelFox
Threat Score: High (8.5/10) — Due to advanced privilege escalation, data theft, and cryptocurrency mining techniques.
Last Threat Observation: November 2024
Overview
SteelFox is a sophisticated malware campaign that combines information-stealing capabilities with cryptocurrency mining. Disguised as software cracks for popular applications like Foxit PDF Editor, AutoCAD, and JetBrains, it targets users seeking unauthorized software activations. Upon execution, SteelFox escalates privileges using vulnerable drivers, enabling it to steal sensitive data and mine cryptocurrency covertly. The campaign has been active since at least February 2023 and continues to pose a significant threat.
Key Details
- Delivery Method: Distributed via forums, torrent trackers, and blogs as crack tools for popular software.
- Target: Users attempting to activate software like Foxit PDF Editor, AutoCAD, and JetBrains products without proper licensing.
- Functions:
- Steals browser data, including cookies, credit card information, and browsing history.
- Gathers system information, such as installed software and antivirus solutions.
- Captures Wi-Fi passwords and network details.
- Utilizes a modified version of the XMRig miner to mine cryptocurrency, likely Monero.
- Establishes secure communication with command-and-control servers using TLS v1.3 and SSL pinning.
- Obfuscation: Employs AES-128 encryption and dynamically changes IP addresses via Google Public DNS and DNS over HTTPS (DoH) to evade detection.
Attack Vectors
SteelFox is propagated through malicious posts and torrents that advertise free activation tools for popular software. Upon execution, the dropper requests administrator privileges, which are later exploited to install a vulnerable driver (WinRing0.sys). This driver, susceptible to CVE-2020-14979 and CVE-2021-41285, allows the malware to escalate privileges to the SYSTEM level. With elevated privileges, SteelFox installs its components, including the information stealer and cryptominer, and establishes persistent communication with its command-and-control servers.
Known Indicators of Compromise (IoCs)
File Hashes
MD5
fb94950342360aa1656805f6dc23a1a05029b1db994cd17f2669e73ce0a0b71a69a74c90d0298d2db34b48fa6c51e77d84b29b171541c8251651cabe1364b7b6015595d7f868e249bbc1914be26ae81f040dede78bc1999ea62d1d044ea5e763051269b1573f72a2355867a65979b48508fa6ebc263001658473f6a968d8785bd5290ba0cd8529032849ae567faba1ced715507131bbf4ca1fe7bc4a5ddfeb19dc8c18e4b729fdbf746252b2fc1decc5dc9d42902bda8d63e5858b2a062aecc19dff2cdb371334619b15372aa3f6085cc20e1226782abdb120e814ee592bff1ac6e7c8c76c7fb05776a0b64699cdf6e7
SHA-256
8d9abb726799da54909ebd7a9c356b990fd68175945e6c05e64de18ca7d1d3d83e52c0b97f67287c212e5bc779b0e7dd843fb0df2ef11b74e1891898d492782c9954fd4e914f2427c25ba0a4b3d305819a71d648b05fc94d108c0459795f077dd625bc9ea13d56825bd3c63698743e329564ca384d51f24d417a7171df498992
SHA-1
287e09c8ad36b93588e7eeb678a8d9e76c293cbbea651af34bfe2052668e37bcd3f60696ebaffa1c993d944aa84e851c48f960cf018e4abe18ec5cd9f608cc545f3dbeed9822186e3ab11f7069543d1f
IP Addresses
205.185.115[.]5
Domains
ankjdans[.]xyz
Malicious URLs
hxxps://github[.]com/DavidNguyen67/CrackJetbrainshxxps://github[.]com/TrungGa123/Active-all-app-Jetbrains/hxxps://www.cloudstaymoon[.]com/2024/05/06/tools-1hxxps://squarecircle[.]ru/Intelij/jetbrains-activator.exehxxps://drive.google[.]com/file/d/1bhDBVMywFg2551oMmPO3_5VaeYnj7pe5/view?usp=sharing
Mitigation and Prevention
- User Awareness: Educate users about the risks of downloading and using unauthorized software cracks.
- Email Filtering: Implement robust email filtering to block phishing attempts that may distribute malware.
- Antivirus Protection: Deploy reputable antivirus solutions capable of detecting and blocking SteelFox and similar threats.
- Two-Factor Authentication (2FA): Enforce 2FA to add an extra layer of security to user accounts.
- Monitor Logs: Regularly monitor system and network logs for unusual activities indicative of compromise.
- Regular Updates: Keep operating systems, software, and drivers updated to patch known vulnerabilities.
Conclusion
SteelFox represents a sophisticated threat that leverages social engineering and technical exploits to compromise systems. By disguising itself as legitimate software activators, it entices users into executing malicious code that steals sensitive information and misuses system resources for cryptocurrency mining. Organizations and individuals must exercise caution when downloading software, ensure systems are up-to-date, and employ comprehensive security measures to defend against such multifaceted threats.