CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

‘SteelFox’ Miner and Information Stealer Bundle Emerges

Impersonating legitimate software such as Foxit PDF Editor and AutoCAD, the SteelFox crimeware bundle steals user information.

A recently identified crimeware bundle is impersonating legitimate software such as Foxit PDF Editor and AutoCAD to steal its victims’ information.

Dubbed SteelFox and distributed via forum posts, torrents, and blogs, the threat has been active since early 2023, but made it to the spotlight only recently, when Kaspersky identified a “massive infection” consisting of a cryptocurrency miner and information stealing malware.

The infostealer has remained unchanged since last year, but its developers have updated its dependencies to improve its evasion detection.

The identified SteelFox infections start with droppers posing as cracks for Foxit PDF Editor, JetBrains, and AutoCAD, which deliver the expected functionality in addition to malware.

During the installation process, the Foxit crack would request administrator privileges to install itself in Foxit’s installation directory, but use the privileges for malicious purposes later.

The next-stage is a loader that creates a service and registers it to start automatically at boot, for persistence. It specifically checks if it has been started as a service and throws an exception and terminates its process if not.

Before executing the final payload, it launches the AppInfo service to inject the loader in it, thus preventing users from terminating its process, as NT\SYSTEM privileges would be required for that.

The execution chain also involves creating a service with an old version of the WinRing0.sys driver running inside it. The driver is vulnerable to CVE-2020-14979 and CVE-2021-41285, which are exploited to elevate privileges to NT\SYSTEM.

Advertisement. Scroll to continue reading.

“This driver is also a component of the XMRig miner, so it is utilized for mining purposes. The communication with the driver is performed in a separate thread,” Kaspersky explains.

The SteelFox information stealer can extract browser data, including history, cookies, search history, location, and card data, along with data such as installed software, SIM card information, system information, usernames, RDP session information, and more.

The harvested information is then combined in a large JSON file and sent to the command-and-control (C&C) server.

SteelFox attacks, Kaspersky says, appear opportunistic, with anyone stumbling upon the compromised software getting infected. Victims have been identified in Algeria, Brazil, China, Egypt, India, Mexico, Russia, Sri Lanka, UAE, and Vietnam.

“SteelFox does not target any particular organizations or people. Instead, it acts on a mass scale, extracting every bit of data that can be processed later. To ensure protection from threats like this, install applications from official sources and use a reliable security solution that prevents downloading infected software,” Kaspersky notes.

Related: 22,000 IPs Taken Down in Global Cybercrime Crackdown

Related: Source Code of New ‘CodeRAT’ Backdoor Published Online

Related: New ‘Chaes’ Malware Targets Latin American E-Commerce Users

Related: RedLine and Meta Infostealers Disrupted by Law Enforcement

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.