A recently identified crimeware bundle is impersonating legitimate software such as Foxit PDF Editor and AutoCAD to steal its victims’ information.
Dubbed SteelFox and distributed via forum posts, torrents, and blogs, the threat has been active since early 2023, but made it to the spotlight only recently, when Kaspersky identified a “massive infection” consisting of a cryptocurrency miner and information stealing malware.
The infostealer has remained unchanged since last year, but its developers have updated its dependencies to improve its evasion detection.
The identified SteelFox infections start with droppers posing as cracks for Foxit PDF Editor, JetBrains, and AutoCAD, which deliver the expected functionality in addition to malware.
During the installation process, the Foxit crack would request administrator privileges to install itself in Foxit’s installation directory, but use the privileges for malicious purposes later.
The next-stage is a loader that creates a service and registers it to start automatically at boot, for persistence. It specifically checks if it has been started as a service and throws an exception and terminates its process if not.
Before executing the final payload, it launches the AppInfo service to inject the loader in it, thus preventing users from terminating its process, as NT\SYSTEM privileges would be required for that.
The execution chain also involves creating a service with an old version of the WinRing0.sys driver running inside it. The driver is vulnerable to CVE-2020-14979 and CVE-2021-41285, which are exploited to elevate privileges to NT\SYSTEM.
“This driver is also a component of the XMRig miner, so it is utilized for mining purposes. The communication with the driver is performed in a separate thread,” Kaspersky explains.
The SteelFox information stealer can extract browser data, including history, cookies, search history, location, and card data, along with data such as installed software, SIM card information, system information, usernames, RDP session information, and more.
The harvested information is then combined in a large JSON file and sent to the command-and-control (C&C) server.
SteelFox attacks, Kaspersky says, appear opportunistic, with anyone stumbling upon the compromised software getting infected. Victims have been identified in Algeria, Brazil, China, Egypt, India, Mexico, Russia, Sri Lanka, UAE, and Vietnam.
“SteelFox does not target any particular organizations or people. Instead, it acts on a mass scale, extracting every bit of data that can be processed later. To ensure protection from threats like this, install applications from official sources and use a reliable security solution that prevents downloading infected software,” Kaspersky notes.
Related: 22,000 IPs Taken Down in Global Cybercrime Crackdown
Related: Source Code of New ‘CodeRAT’ Backdoor Published Online
Related: New ‘Chaes’ Malware Targets Latin American E-Commerce Users
Related: RedLine and Meta Infostealers Disrupted by Law Enforcement