SteelFox Seen Using "Bring Your Own Vulnerable Driver" Tactics
Written by Karolis Liucveikis on (updated)
According to a new report by security firm Kaspersky, researchers discovered a new crimeware bundle being distributed via forum posts, torrent trackers, and blogs, imitating popular software like Foxit PDF Editor and AutoCAD. The malware itself is capable of extracting the victim's credit card data, details about the infected device, and a cryptocurrency miner.
The initial discovery of the attack campaign was made in August 2024. However, evidence suggests the campaign might have started as early as February 2023. Researchers noted that over this time period, the malware's info stealer module has not evolved significantly but rather has been changed incrementally to assist in avoiding detection.
Including an info stealer in the crimeware bundle, namely malware that facilitates both financial and cyber crimes, is in line with a current uptick in threat actors relying more and more on info stealers.
The initial infection vector consists of SteelFox threat actors advertising cracked legitimate software applications or keys to allow unrestricted access to popular applications on various forums and torrent trackers. These posts refer to the SteelFox dropper as an efficient way to activate a legitimate software product for free.
Researchers have seen the dropper pretend to be a crack for Foxit PDF Editor, JetBrains IDE, and AutoCAD. While these droppers have the advertised functionality, helping ensure the victim believes nothing is wrong other than pirating software, they also deliver sophisticated malware onto the victim's computer.
The dropper component of the malware is interesting for several reasons; most important, though, is how it achieves privileged access to the victim's machine. Foxit's installation directory resides in the "Program Files" folder. FoxitCrack asks for administrator access, which will be used for malicious purposes later.
The execution chain looks legitimate until the files are unpacked. Before a legitimate function, a malicious one is inserted, evading detection by traditional security software packages, which are responsible for dropping malicious code onto the target user's system.
Commenting on the dropper further, researchers stated,
In later versions of the dropper, the actor implemented the same algorithm but used the AES-NI instruction-set extension. Since they operate with 16-byte blocks, it implies that the requirement for the payload size alignment remains in place…After that, the embedded payload, which is, in fact, a PE64 executable, is modified to avoid detection. Linking timestamps are overwritten with a random date in the range between May and December 2022, along with the linker version. Random junk data is also inserted into the .rdata section to avoid hash detection. This is accomplished with an embedded PE parser.
Once the dropper is initialized, the loader's infection chain will begin. The loader performs several checks, and if those are passed, the attacker will be permitted to the attacker to perform decryption and create shell codes.
Then, the malware registers a dispatcher with a function responsible for decryption and injection. It controls the state of the service and handles the service restart and shutdown signals. Before the malware payload is delivered, the target DLL is loaded via a malicious shell code and encrypted with AES-128 like the dropper.
Malware Payload
Delivering the malware payload in the final stage of the infection chain. To this extent, researchers stated,
At the beginning, this stage (DLL) creates a mutex with a randomly generated name because its network communication heavily relies on multithreading and asynchronous network I/O. After that, it performs an important task: creating a service with a WinRing0.sys driver running inside. This service is accompanied by a pipe named \\.\WinRing0_1_2_0 which allows the process to communicate with the driver. This is quite an old driver, vulnerable to CVE-2020-14979 and CVE-2021-41285, and allowing the actor to elevate privileges to NT\SYSTEM as soon as the direct unchecked communication with the driver is allowed, and the attacker controls input forwarded to the driver. This driver is also a component of the XMRig miner, so it is utilized for mining purposes. The communication with the driver is performed in a separate thread.
This tactic, known as "Bring your own Vulnerable Driver," has been effectively used by ransomware gangs and other financially motivated threat actors. Successfully dropping the vulnerable driver facilitates dropping the ever-popular crypto miner, XMRig, and the info stealer.
The latter can collect an extensive list of end users' parameters. It enumerates browsers on the victim's device and then compares them against the following list of browsers:
- Chrome
- Opera
- Opera GX
- Brave
- Firefox
- Yandex
- Wave
- AVG
- Avast
- Vivaldi
- Dragon
- Chedot
- Cốc Cốc
Primary data targets for the stealer include cookies, credit card data, browsing history, and the list of places visited if the victim uses Firefox. Data is then combined into one large JSON that is sent to the threat actor's command-and-control server.
The threat actors have seemingly global ambitions as victims have been located in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. The malware's developers are also skilled, as researchers concluded,
SteelFox has emerged recently, and it is a full-featured crimeware bundle. It is capable of stealing various user data that might be of interest to the actors behind this campaign. Highly sophisticated usage of modern C++ combined with external libraries grant this malware formidable power. Usage of TLSv1.3 and SSL pinning ensures secure communication and harvesting of sensitive data.
▼ Show Discussion