In August 2024, a new crimeware bundle named “SteelFox” was discovered by a security team. This threat utilizes sophisticated execution chains, including shellcoding, to target Windows services and drivers. The distribution of SteelFox occurs through forum posts, torrent trackers, and blogs, where it masquerades as popular software such as Foxit PDF Editor and AutoCAD. Furthermore, SteelFox incorporates stealer malware to extract sensitive information from victims, including credit card data and device specifics.
SteelFox establishes communication with its command and control (C2) server via SSL pinning and TLSv1.3, using a domain with a dynamically changing IP address. The threat is implemented using the Boost.Asio library, showcasing a high level of technical sophistication. One notable capability of SteelFox is its ability to escalate privileges through the exploitation of a vulnerable driver on the target system.
Kaspersky’s security products detect the SteelFox threat as HEUR:Trojan.Win64.SteelFox.gen. This designation helps identify and mitigate instances of the malware within affected systems.
A detailed technical analysis of SteelFox reveals its multi-stage infection process, starting with distribution through forum posts and malicious torrents. The dropper component of SteelFox pretends to be an activator for popular software, such as Foxit PDF Editor. Upon execution, the dropper extracts and unpacks the malicious payload onto the victim’s system, initiating a chain of malicious activities.
The SteelFox loader progresses the infection by creating a service that persists across system reboots. This loader implements various checks to evade detection and ensures the smooth execution of subsequent malicious operations. The driver vulnerability exploited by SteelFox enables the threat actors to elevate privileges and carry out mining activities for financial gain.
In the final stage, SteelFox sets up a communication infrastructure with the C2 server, leveraging encryption and secure communication protocols to transmit stolen data effectively. The malware targets a wide range of user data, including browsers, software details, system information, network settings, user credentials, and more. The sophisticated data exfiltration process culminates in the transmission of a large JSON payload to the C2 server.
Charting the victims of the SteelFox campaign reveals a global impact, with affected users spread across various countries, including Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. This mass-scale targeting reinforces the threat actors’ intent to compromise a broad spectrum of users through deceptive distribution tactics.
As of now, no specific attribution can be assigned to the SteelFox campaign. The threat operators deploy various obfuscation techniques to evade detection, leveraging compromised accounts and platform vulnerabilities in their distribution strategy.
In conclusion, SteelFox represents a highly sophisticated crimeware bundle that poses a significant risk to users globally. Its advanced capabilities, secure communication channels, and broad data collection scope underline the importance of maintaining security best practices, such as using official software sources and employing robust security solutions to prevent malware infections. The evolving nature of threats like SteelFox necessitates proactive measures to mitigate risks and safeguard sensitive information from malicious actors.
Croatian 
English 
Albanian 
Serbian 