Introduction
In August 2024, our team identified a new crimeware bundle, which we named “SteelFox”. Delivered via sophisticated execution chains including shellcoding, this threat abuses Windows services and drivers. It spreads via forums posts, torrent trackers and blogs, imitating popular software like Foxit PDF Editor and AutoCAD. It also uses stealer malware to extract the victim’s credit card data as well as details about the infected device.
This report in a nutshell:
SteelFox is distributed via forum posts and malicious torrents.
It communicates with its C2 via SSL pinning and TLSv1.3. It utilizes a domain with a dynamically changing IP, and it is implemented using Boost.Asio library.
SteelFox can elevate its privileges through exploitation of a vulnerable driver.
Kaspersky’s products detect this threat as
HEUR:Trojan.Win64.SteelFox.gen, Trojan.Win64.SteelFox.*.Technical Details
Background
In August 2024, we stumbled upon a massive infection caused by an unknown bundle consisting of miner and stealer malware. During our investigation, we found out that the campaign started in February 2023. Although the stealer has not evolved significantly since then, it is being gradually changed to avoid detection. No functional changes are being added, but the author updates all the required dependencies.
Infection timeline
Initial infection
Our investigation has led us to the fact that SteelFox’s initial attack vector consists of several various publications on forums and torrent trackers. These posts refer to the SteelFox dropper as an efficient way to activate a legitimate software product for free. We’ve seen the dropper pretend to be a crack for Foxit PDF Editor, JetBrains and AutoCAD. While these ..
Support the originator by clicking the read the rest link below.
