FacebookTwitterLinkedIn

SteelFox Seen Using "Bring Your Own Vulnerable Driver" Tactics

According to a new report by security firm Kaspersky, researchers discovered a new crimeware bundle being distributed via forum posts, torrent trackers, and blogs, imitating popular software like Foxit PDF Editor and AutoCAD. The malware itself is capable of extracting the victim's credit card data, details about the infected device, and a cryptocurrency miner.

SteelFox Seen Using Bring Your Own Vulnerable Driver Tactics

The initial discovery of the attack campaign was made in August 2024. However, evidence suggests the campaign might have started as early as February 2023. Researchers noted that over this time period, the malware's info stealer module has not evolved significantly but rather has been changed incrementally to assist in avoiding detection.

Including an info stealer in the crimeware bundle, namely malware that facilitates both financial and cyber crimes, is in line with a current uptick in threat actors relying more and more on info stealers.  

The initial infection vector consists of SteelFox threat actors advertising cracked legitimate software applications or keys to allow unrestricted access to popular applications on various forums and torrent trackers. These posts refer to the SteelFox dropper as an efficient way to activate a legitimate software product for free.

Researchers have seen the dropper pretend to be a crack for Foxit PDF Editor, JetBrains IDE, and AutoCAD. While these droppers have the advertised functionality, helping ensure the victim believes nothing is wrong other than pirating software, they also deliver sophisticated malware onto the victim's computer.

The dropper component of the malware is interesting for several reasons; most important, though, is how it achieves privileged access to the victim's machine. Foxit's installation directory resides in the "Program Files" folder. FoxitCrack asks for administrator access, which will be used for malicious purposes later.

The execution chain looks legitimate until the files are unpacked. Before a legitimate function, a malicious one is inserted, evading detection by traditional security software packages, which are responsible for dropping malicious code onto the target user's system.

Commenting on the dropper further, researchers stated,

In later versions of the dropper, the actor implemented the same algorithm but used the AES-NI instruction-set extension. Since they operate with 16-byte blocks, it implies that the requirement for the payload size alignment remains in place…After that, the embedded payload, which is, in fact, a PE64 executable, is modified to avoid detection. Linking timestamps are overwritten with a random date in the range between May and December 2022, along with the linker version. Random junk data is also inserted into the .rdata section to avoid hash detection. This is accomplished with an embedded PE parser.

Once the dropper is initialized, the loader's infection chain will begin. The loader performs several checks, and if those are passed, the attacker will be permitted to the attacker to perform decryption and create shell codes.

Then, the malware registers a dispatcher with a function responsible for decryption and injection. It controls the state of the service and handles the service restart and shutdown signals. Before the malware payload is delivered, the target DLL is loaded via a malicious shell code and encrypted with AES-128 like the dropper.

Malware Payload

Delivering the malware payload in the final stage of the infection chain. To this extent, researchers stated,

At the beginning, this stage (DLL) creates a mutex with a randomly generated name because its network communication heavily relies on multithreading and asynchronous network I/O. After that, it performs an important task: creating a service with a WinRing0.sys driver running inside. This service is accompanied by a pipe named \\.\WinRing0_1_2_0 which allows the process to communicate with the driver. This is quite an old driver, vulnerable to CVE-2020-14979 and CVE-2021-41285, and allowing the actor to elevate privileges to NT\SYSTEM as soon as the direct unchecked communication with the driver is allowed, and the attacker controls input forwarded to the driver. This driver is also a component of the XMRig miner, so it is utilized for mining purposes. The communication with the driver is performed in a separate thread.

This tactic, known as "Bring your own Vulnerable Driver," has been effectively used by ransomware gangs and other financially motivated threat actors. Successfully dropping the vulnerable driver facilitates dropping the ever-popular crypto miner, XMRig, and the info stealer.

The latter can collect an extensive list of end users' parameters. It enumerates browsers on the victim's device and then compares them against the following list of browsers:

  • Chrome
  • Opera
  • Opera GX
  • Brave
  • Firefox
  • Yandex
  • Wave
  • AVG
  • Avast
  • Vivaldi
  • Dragon
  • Chedot
  • Cốc Cốc

Primary data targets for the stealer include cookies, credit card data, browsing history, and the list of places visited if the victim uses Firefox. Data is then combined into one large JSON that is sent to the threat actor's command-and-control server.

The threat actors have seemingly global ambitions as victims have been located in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. The malware's developers are also skilled, as researchers concluded,

SteelFox has emerged recently, and it is a full-featured crimeware bundle. It is capable of stealing various user data that might be of interest to the actors behind this campaign. Highly sophisticated usage of modern C++ combined with external libraries grant this malware formidable power. Usage of TLSv1.3 and SSL pinning ensures secure communication and harvesting of sensitive data.

 

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal