A sophisticated malware campaign has been wreaking havoc on thousands of individuals, with victims spanning across various countries and utilizing popular applications like AutoCAD, JetBrains, and the Foxit PDF editor since at least February 2023. The malicious software, known as SteelFox, is being distributed through forum posts and illegal torrents, making it challenging to detect and neutralize due to its use of SSL pinning and TLSv1.3 encryption to protect its commanding and data exfiltration activities.
Kaspersky’s researchers discovered the malware and described it as a mass-scale threat that extracts data indiscriminately rather than targeting specific users or organizations. More than 11,000 people have been affected so far, with victims primarily located in Brazil, China, Russia, Mexico, and the United Arab Emirates. The initial access to the malware occurs when individuals fall for posts advertising SteelFox as an application activator that allows free access to commercial software like Foxit PDF Editor, JetBrains, and AutoCAD.
Once the malware gains entry into a system, it requests administrative privileges to install the application activator, dropping a malicious executable file for Windows systems in the process. This file initiates a series of steps culminating in the deployment of an XMRig coin miner with hardcoded credentials to a mining pool. Furthermore, SteelFox establishes communication with its command-and-control server, activating a data-stealing component that retrieves various sensitive information from the victim’s device.
To make detection and mitigation efforts more challenging, the malware authors have implemented several evasion techniques. The executable is encrypted, hindering analysis, while the payload modifications prevent detection by overwriting timestamps and inserting random data. The malware ensures persistence by creating a Windows service that automatically starts, maintaining its operation across system reboots. Additionally, SteelFox launches from within a Windows service with elevated privileges, making it nearly impossible for standard users to take action against it.
The use of SSL pinning and TLSv1.3 encryption allows SteelFox to operate covertly and evade detection, presenting a significant challenge for defenders. This sophisticated crimeware bundle has the capability to steal various types of user data, reflecting the evolving tactics employed by threat actors. Recent examples of advanced malware campaigns include CRON#TRAP, utilizing custom-emulated QEMU Linux environments, and GhostEngine, a multimodal malware toolkit designed to evade endpoint detection and response mechanisms.
The proliferation of generative AI tools has also contributed to the innovation of malware tactics, particularly in influence operations and misinformation campaigns. The increasing sophistication of cyber threats underscores the importance of robust cybersecurity measures and constant vigilance to protect against malicious attacks in an increasingly digital world.