Hackers primarily target Windows systems due to their significant market share: Over 80% of desktop operating systems run Windows.
Not only that even nearly 50% of hackers compromised Windows systems more than any other OS.
Kaspersky researchers recently detected a new malware dubbed “SteelFox,” that has infected more than 11000 Windows systems as software activators.
SteelFox is sophisticated malware spotted in August 2024. It’s distributed through numerous forums, torrent trackers, and blogs as a crack or activator for well-known software applications like the Foxit PDF Editor or AutoCAD.
The malware adopts a sophisticated execution chain, including shell coding techniques, to infect the target systems. After the installation, SteelFox uses Windows services and drivers to persist and escalate privileges.
Challenges that MDR can help you resolve -> Get a Free Guide
The first stage infection vector employs a dropper executable that claims to be a legitimate crack for software but, in reality, downloads a malicious payload and executes it on the system.
A special procedure is used to execute it as a Windows service, which enables it to operate with SYSTEM privileges.
Credential and credit card data theft are core SteelFox functionalities, which include stealing credit card information from the device through a stealer module, reads Kaspersky report.
The malware, which communicates with the C2 server using SSL pinning and the TLSv1.3 protocol, is designed with the Boost. Asio library employs a rapidly changing IP and shifting domain to escape detection.
Furthermore, the infection contains the ability to gain higher privileges on the infected system through a compromised driver.
This threat has been considered by Kaspersky’s security suite of products as HEUR:Trojan.Win64.SteelFox.gen and Trojan.Win64.SteelFox.*.
The SteelFox malware operates in multiple stages. First, it creates a randomly named mutex to enable its multi-threaded network communication.
It then installs a service with a vulnerable WinRing0.sys driver, which allows the malware to communicate with and elevate privileges on the infected system. This outdated driver is known to have security vulnerabilities that SteelFox exploits.
Next, SteelFox resolves a hardcoded C2 domain using Google’s DNS over HTTPS to hide the domain resolution and then connects to the C2 server using a TLS 1.3 connection secured with SSL pinning.
After establishing a link, the stealer module of the malware extracts a great volume of sensitive data from the user, including the user’s browser cookies, credit cards, history of websites visited, installed applications, specifications of the operating system, network parameters, etc.
This information is sent to the attacker’s command-and-control server through an extremely sick payload consisting of JSON files.
SteelFox starts the operation without discrimination and infects users’ browsers who try to use fake AutoCAD, JetBrains, Foxit, or other such programs.
No detailed conclusions have been made, and not only that, but no clear attribution has been made for this particular campaign.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!