A brand new malicious bundle referred to as ‘SteelFox’ mines for cryptocurrency and steals bank card knowledge by utilizing the “bring your own vulnerable driver” method to get SYSTEM privileges on Home windows machines.
The malware bundle dropper is distributed by boards and torrent trackers as a crack software that prompts reputable variations of assorted software program like Foxit PDF Editor, JetBrains and AutoCAD.
Utilizing a weak driver for privilege escalation is widespread for state-sponsored menace actors and ransomware teams. Nevertheless, the method now seems to increase to info-stealing malware assaults.
Kaspersky researchers found the SteelFox marketing campaign in August however say that the malware has been round since February 2023 and elevated distribution currently utilizing a number of channels (e.g. torrents, blogs, and posts on boards).
In line with the corporate, its merchandise detected and blocked SteelFox assaults 11,000 instances.
SteelFox an infection and privilege escalation
Kaspersky reviews that malicious posts selling the SteelFox malware dropper include full directions on the way to illegally activate the software program. Beneath is a pattern of such a publish offering instructions on the way to activate JetBrains:
The researchers say that whereas the dropper does have the marketed performance, customers additionally infect their programs with malware.
Because the software program focused for unlawful activation is usually put in within the Program Information, including the crack requires administrator entry, a permission that the malware makes use of later within the assault.
Kaspersky researchers say that “the execution chain looks legitimate until the moment the files are unpacked.” They clarify {that a} malicious perform is added throughout the course of, which drops on the machine code that masses SteelFox.
Having secured admin rights, SteelFox creates a service that runs WinRing0.sys inside, a driver weak to CVE-2020-14979 and CVE-2021-41285, which might be exploited to acquire privilege escalation to NT/SYSTEM degree.
Such permissions are the very best on an area system, extra highly effective than an administrator’s, and permit unrestricted entry to any useful resource and course of.
The WinRing0.sys driver can also be used for cryptocurrency mining, as it’s a part of the XMRig program for mining Monero cryptocurrency. Kaspersky researchers say that the menace actor makes use of a modified model of the miner executable that connects to a mining pool with hardcoded credentials.
The malware then establishes a reference to its command-and-control (C2) server utilizing SSL pinning and TLS v1.3, which protects the communication from being intercepted.
It additionally prompts the info-stealer part that extracts knowledge from 13 internet browsers, details about the system, community, and RDP connection.
The researchers notice that SteelFox collects from the browsers knowledge like bank cards, looking historical past, and cookies.
Kaspersky says that though the C2 area SteelFox makes use of is hardcoded, the menace actor manages to cover it by switching its IP addresses and resolving them by Google Public DNS and DNS over HTTPS (DoH).
SteelFox assaults shouldn’t have particular targets however seem to give attention to customers of AutoCAD, JetBrains, and Foxit PDF Editor. Primarily based on Kaspersky’s visibility, the malware compromises programs in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka.
Though SteelFox is pretty new, “it is a full-featured crimeware bundle,” the researchers say. Evaluation of the malware signifies that it is developer is expert in C++ programming and so they managed to create formidable malware by integrating exterior libraries.