Advanced Malware SteelFox Uses Windows Vulnerabilities for System Access
Threat Group: Unknown
Threat Type: Crimeware Bundle (Information Stealer and Cryptominer)
Exploited Vulnerabilities: CVE-2020-14979, CVE-2021-41285
Malware Used: SteelFox
Threat Score: High (8.5/10) — Due to advanced privilege escalation, data theft, and cryptocurrency mining techniques.
Last Threat Observation: November 2024
Overview
SteelFox is a sophisticated malware campaign that combines information-stealing capabilities with cryptocurrency mining. Disguised as software cracks for popular applications like Foxit PDF Editor, AutoCAD, and JetBrains, it targets users seeking unauthorized software activations. Upon execution, SteelFox escalates privileges using vulnerable drivers, enabling it to steal sensitive data and mine cryptocurrency covertly. The campaign has been active since at least February 2023 and continues to pose a significant threat.
Key Details
- Delivery Method: Distributed via forums, torrent trackers, and blogs as crack tools for popular software.
- Target: Users attempting to activate software like Foxit PDF Editor, AutoCAD, and JetBrains products without proper licensing.
- Functions:
- Steals browser data, including cookies, credit card information, and browsing history.
- Gathers system information, such as installed software and antivirus solutions.
- Captures Wi-Fi passwords and network details.
- Utilizes a modified version of the XMRig miner to mine cryptocurrency, likely Monero.
- Establishes secure communication with command-and-control servers using TLS v1.3 and SSL pinning.
- Obfuscation: Employs AES-128 encryption and dynamically changes IP addresses via Google Public DNS and DNS over HTTPS (DoH) to evade detection.
Attack Vectors
SteelFox is propagated through malicious posts and torrents that advertise free activation tools for popular software. Upon execution, the dropper requests administrator privileges, which are later exploited to install a vulnerable driver (WinRing0.sys). This driver, susceptible to CVE-2020-14979 and CVE-2021-41285, allows the malware to escalate privileges to the SYSTEM level. With elevated privileges, SteelFox installs its components, including the information stealer and cryptominer, and establishes persistent communication with its command-and-control servers.
Known Indicators of Compromise (IoCs)
File Hashes
MD5
fb94950342360aa1656805f6dc23a1a0
5029b1db994cd17f2669e73ce0a0b71a
69a74c90d0298d2db34b48fa6c51e77d
84b29b171541c8251651cabe1364b7b6
015595d7f868e249bbc1914be26ae81f
040dede78bc1999ea62d1d044ea5e763
051269b1573f72a2355867a65979b485
08fa6ebc263001658473f6a968d8785b
d5290ba0cd8529032849ae567faba1ce
d715507131bbf4ca1fe7bc4a5ddfeb19
dc8c18e4b729fdbf746252b2fc1decc5
dc9d42902bda8d63e5858b2a062aecc1
9dff2cdb371334619b15372aa3f6085c
c20e1226782abdb120e814ee592bff1a
c6e7c8c76c7fb05776a0b64699cdf6e7
SHA-256
8d9abb726799da54909ebd7a9c356b990fd68175945e6c05e64de18ca7d1d3d8
3e52c0b97f67287c212e5bc779b0e7dd843fb0df2ef11b74e1891898d492782c
9954fd4e914f2427c25ba0a4b3d305819a71d648b05fc94d108c0459795f077d
d625bc9ea13d56825bd3c63698743e329564ca384d51f24d417a7171df498992
SHA-1
287e09c8ad36b93588e7eeb678a8d9e76c293cbb
ea651af34bfe2052668e37bcd3f60696ebaffa1c
993d944aa84e851c48f960cf018e4abe18ec5cd9
f608cc545f3dbeed9822186e3ab11f7069543d1f
IP Addresses
205.185.115[.]5
Domains
ankjdans[.]xyz
Malicious URLs
hxxps://github[.]com/DavidNguyen67/CrackJetbrains
hxxps://github[.]com/TrungGa123/Active-all-app-Jetbrains/
hxxps://www.cloudstaymoon[.]com/2024/05/06/tools-1
hxxps://squarecircle[.]ru/Intelij/jetbrains-activator.exe
hxxps://drive.google[.]com/file/d/1bhDBVMywFg2551oMmPO3_5VaeYnj7pe5/view?usp=sharing
Mitigation and Prevention
- User Awareness: Educate users about the risks of downloading and using unauthorized software cracks.
- Email Filtering: Implement robust email filtering to block phishing attempts that may distribute malware.
- Antivirus Protection: Deploy reputable antivirus solutions capable of detecting and blocking SteelFox and similar threats.
- Two-Factor Authentication (2FA): Enforce 2FA to add an extra layer of security to user accounts.
- Monitor Logs: Regularly monitor system and network logs for unusual activities indicative of compromise.
- Regular Updates: Keep operating systems, software, and drivers updated to patch known vulnerabilities.
Conclusion
SteelFox represents a sophisticated threat that leverages social engineering and technical exploits to compromise systems. By disguising itself as legitimate software activators, it entices users into executing malicious code that steals sensitive information and misuses system resources for cryptocurrency mining. Organizations and individuals must exercise caution when downloading software, ensure systems are up-to-date, and employ comprehensive security measures to defend against such multifaceted threats.