Advanced Malware SteelFox Uses Windows Vulnerabilities for System Access

Advanced Malware SteelFox Uses Windows Vulnerabilities for System Access

Threat Group: Unknown
Threat Type: Crimeware Bundle (Information Stealer and Cryptominer)
Exploited Vulnerabilities: CVE-2020-14979, CVE-2021-41285
Malware Used: SteelFox
Threat Score: High (8.5/10) — Due to advanced privilege escalation, data theft, and cryptocurrency mining techniques.
Last Threat Observation: November 2024


Overview

SteelFox is a sophisticated malware campaign that combines information-stealing capabilities with cryptocurrency mining. Disguised as software cracks for popular applications like Foxit PDF Editor, AutoCAD, and JetBrains, it targets users seeking unauthorized software activations. Upon execution, SteelFox escalates privileges using vulnerable drivers, enabling it to steal sensitive data and mine cryptocurrency covertly. The campaign has been active since at least February 2023 and continues to pose a significant threat.


Key Details

  • Delivery Method: Distributed via forums, torrent trackers, and blogs as crack tools for popular software.
  • Target: Users attempting to activate software like Foxit PDF Editor, AutoCAD, and JetBrains products without proper licensing.
  • Functions:
    • Steals browser data, including cookies, credit card information, and browsing history.
    • Gathers system information, such as installed software and antivirus solutions.
    • Captures Wi-Fi passwords and network details.
    • Utilizes a modified version of the XMRig miner to mine cryptocurrency, likely Monero.
    • Establishes secure communication with command-and-control servers using TLS v1.3 and SSL pinning.
  • Obfuscation: Employs AES-128 encryption and dynamically changes IP addresses via Google Public DNS and DNS over HTTPS (DoH) to evade detection.

Attack Vectors

SteelFox is propagated through malicious posts and torrents that advertise free activation tools for popular software. Upon execution, the dropper requests administrator privileges, which are later exploited to install a vulnerable driver (WinRing0.sys). This driver, susceptible to CVE-2020-14979 and CVE-2021-41285, allows the malware to escalate privileges to the SYSTEM level. With elevated privileges, SteelFox installs its components, including the information stealer and cryptominer, and establishes persistent communication with its command-and-control servers.


Known Indicators of Compromise (IoCs)

File Hashes

MD5

  • fb94950342360aa1656805f6dc23a1a0
  • 5029b1db994cd17f2669e73ce0a0b71a
  • 69a74c90d0298d2db34b48fa6c51e77d
  • 84b29b171541c8251651cabe1364b7b6
  • 015595d7f868e249bbc1914be26ae81f
  • 040dede78bc1999ea62d1d044ea5e763
  • 051269b1573f72a2355867a65979b485
  • 08fa6ebc263001658473f6a968d8785b
  • d5290ba0cd8529032849ae567faba1ce
  • d715507131bbf4ca1fe7bc4a5ddfeb19
  • dc8c18e4b729fdbf746252b2fc1decc5
  • dc9d42902bda8d63e5858b2a062aecc1
  • 9dff2cdb371334619b15372aa3f6085c
  • c20e1226782abdb120e814ee592bff1a
  • c6e7c8c76c7fb05776a0b64699cdf6e7

SHA-256

  • 8d9abb726799da54909ebd7a9c356b990fd68175945e6c05e64de18ca7d1d3d8
  • 3e52c0b97f67287c212e5bc779b0e7dd843fb0df2ef11b74e1891898d492782c
  • 9954fd4e914f2427c25ba0a4b3d305819a71d648b05fc94d108c0459795f077d
  • d625bc9ea13d56825bd3c63698743e329564ca384d51f24d417a7171df498992

SHA-1

  • 287e09c8ad36b93588e7eeb678a8d9e76c293cbb
  • ea651af34bfe2052668e37bcd3f60696ebaffa1c
  • 993d944aa84e851c48f960cf018e4abe18ec5cd9
  • f608cc545f3dbeed9822186e3ab11f7069543d1f

IP Addresses

  • 205.185.115[.]5

Domains

  • ankjdans[.]xyz

Malicious URLs

  • hxxps://github[.]com/DavidNguyen67/CrackJetbrains
  • hxxps://github[.]com/TrungGa123/Active-all-app-Jetbrains/
  • hxxps://www.cloudstaymoon[.]com/2024/05/06/tools-1
  • hxxps://squarecircle[.]ru/Intelij/jetbrains-activator.exe
  • hxxps://drive.google[.]com/file/d/1bhDBVMywFg2551oMmPO3_5VaeYnj7pe5/view?usp=sharing

Mitigation and Prevention

  • User Awareness: Educate users about the risks of downloading and using unauthorized software cracks.
  • Email Filtering: Implement robust email filtering to block phishing attempts that may distribute malware.
  • Antivirus Protection: Deploy reputable antivirus solutions capable of detecting and blocking SteelFox and similar threats.
  • Two-Factor Authentication (2FA): Enforce 2FA to add an extra layer of security to user accounts.
  • Monitor Logs: Regularly monitor system and network logs for unusual activities indicative of compromise.
  • Regular Updates: Keep operating systems, software, and drivers updated to patch known vulnerabilities.

Conclusion

SteelFox represents a sophisticated threat that leverages social engineering and technical exploits to compromise systems. By disguising itself as legitimate software activators, it entices users into executing malicious code that steals sensitive information and misuses system resources for cryptocurrency mining. Organizations and individuals must exercise caution when downloading software, ensure systems are up-to-date, and employ comprehensive security measures to defend against such multifaceted threats.


Sources