SteelFox Malware
A new threatening package known as SteelFox has been discovered. It targets Windows systems to mine cryptocurrency and harvest credit card information. The malware utilizes a technique called 'bring your own vulnerable driver' to escalate privileges to the SYSTEM level, allowing it to bypass security measures.
The malware is primarily spread through forums and torrent sites, where it masquerades as a crack tool that activates legitimate software like Foxit PDF Editor, JetBrains and AutoCAD. The use of vulnerable drivers for privilege escalation is a tactic commonly associated with state-sponsored threat actors and ransomware groups. Still, it now appears to be adopted by info-collecting malware campaigns as well.
Researchers first identified the SteelFox operation in August, though they noted that the malware has been active since February 2023. Its distribution has been ramping up in recent months through various channels, including torrents, blogs, and forum posts.
Table of Contents
SteelFox Infection and Privilege Escalation
Reports indicate that posts promoting the SteelFox malware dropper often include detailed instructions on how to activate software illegally. For instance, one such post offers step-by-step guidance on how to activate JetBrains. While the dropper does perform the advertised function of activating the software, users inadvertently infect their systems with malware in the process.
Since the targeted software is typically installed in the Program Files, adding the crack requires administrator-level access, which the malware leverages during its attack. Researchers note that the installation process appears legitimate up until the point where the files are unpacked. At that stage, an unsafe function is introduced, which then drops the code responsible for loading SteelFox onto the system.
Exploiting Vulnerable Drivers
Once SteelFox gains administrative privileges, it installs a service that runs WinRing0.sys, a vulnerable driver susceptible to CVE-2020-14979 and CVE-2021-41285. These vulnerabilities allow the malware to escalate privileges to the NT/SYSTEM level, granting it the highest level of access to the system—more potent than administrator rights. This level of access enables the malware to manipulate any system resource or process freely.
In addition to privilege escalation, the WinRing0.sys driver is used in cryptocurrency mining. It is part of the XMRig miner, which mines Monero. The attacker deploys a modified version of this miner, configured to connect to a mining pool with hardcoded credentials.
The malware also establishes a secure connection with its Command-and-Control (C2) server using SSL pinning and TLS v1.3, ensuring that communications are encrypted and shielded from interception. Additionally, it activates an info-stealer component that collects data from thirteen Web browsers, system information, network details and any RDP (Remote Desktop Protocol) connections. SteelFox can harvest data, including credit cards, browsing history, and cookies.
SteelFox Infects Victims from Numerous Countries
Although the C2 domain used by SteelFox is hardcoded, the attacker conceals it by frequently changing its IP addresses and resolving them through Google Public DNS and DNS over HTTPS (DoH). SteelFox attacks do not target specific individuals but seem to primarily affect users of AutoCAD, JetBrains and Foxit PDF Editor. The malware has been observed compromising systems in countries such as Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India and Sri Lanka.
Despite being relatively new, SteelFox is a comprehensive crimeware package. Malware analysis suggests that its developer is proficient in C++ programming and has incorporated external libraries to craft a highly effective piece of malware.