Headline
New SteelFox Malware Posing as Popular Software to Steal Browser Data
SteelFox malware targets software pirates through fake activation tools, stealing credit card data and deploying crypto miners. Learn…
SteelFox malware targets software pirates through fake activation tools, stealing credit card data and deploying crypto miners. Learn about this new threat affecting users worldwide and how to protect yourself from this sophisticated cybercrime campaign.
Cybersecurity researchers at Securelist have identified a new type of malware that has been spreading through online forums, torrent trackers, and blogs, posing as legitimate software like Foxit PDF Editor, AutoCAD, and JetBrains.
Dubbed “SteelFox” by researchers; the malware’s main targets are those Microsft Windows users who are involved in downloading pirated software and fake software activation tools (cracks).
The campaign, which began in February 2023, combines cryptocurrency mining and data stealing capabilities through fake software activation tools. So far, the malware has infected over 11,000 users worldwide.
According to Securelist’s blog post shared with Hackread.com ahead of publishing, SteelFox is a full-featured “crimeware bundle“ that extracts sensitive data from infected devices, including credit card information, browsing history, and login credentials. It also collects system information, such as installed software, running services, and network configurations.
The malware’s initial attack vector involves fake software activators, which are advertised on online forums and torrent trackers as a way to activate legitimate software for free. Once installed, the malware creates a service that stays on the system, even after reboots and uses a vulnerable driver to advance its privileges.
Malicious dropper advertisement (Via Securelist)
The malware operates through a multi-stage attack chain, beginning with a dropper that requires administrator privileges. Once executed, it installs itself as a Windows service and uses AES-128 encryption to hide its components. The malware achieves system-level access by exploiting vulnerable drivers and implements TLS 1.3 with SSL pinning for secure communication with its command servers.
“SteelFox’s Highly sophisticated usage of modern C++ combined with external libraries grants this malware formidable power. Usage of TLSv1.3 and SSL pinning ensures secure communication and harvesting of sensitive data.”
Securelist
****Global Impact****
SteelFox does not appear to target specific individuals or organizations, instead operating on a larger scale to infect as many users as possible. The malware has already infected users in over 10 countries, including the following:
- UAE
- India
- Brazil
- China
- Russia
- Egypt
- Algeria
- Mexico
- Vietnam
- Sri Lanka
James McQuiggan, a security awareness advocate at KnowBe4, emphasized the importance of organizations being cautious about the sources of their software downloads. He also highlighted the necessity of training employees through cybersecurity awareness programs.
“The dual functionality of SteelFox’s droppers—providing both software “cracks” and malware indicates the complex tools used by cybercriminals and using an outdated driver for privilege escalation highlights the critical need for organizations to ensure they are implementing patches.”
“Organizations must ensure they verify software sources, maintain the least user privilege access control, and leverage endpoint protection to detect suspicious installation behaviours,” James explained.
“Furthermore and more importantly, ensure that cybersecurity awareness programs are provided to users about the dangers of unverified software, like open source software or these common applications. Allow for an IT-managed software solution to install and monitor all applications,” he advised.
****Protecting Yourself from SteelFox****
To avoid becoming victims of SteelFox, users should only download software from official sources and use a reliable security solution that can detect and prevent the installation of infected software. Additionally, users should be cautious when clicking links or downloading attachments from unknown sources, as these can often be used to spread malware.
- Winos4.0 Malware Targeting Windows via Fake Gaming Apps
- Fabrice Malware on PyPI Stealing AWS Credentials for 3 Years
- SideWinder hit Android users with malware apps on Play Store
- TodoSwift Malware Targets macOS, Disguised as Bitcoin PDF App
- Octo2 Malware Uses Fake NordVPN Apps to Infect Android Phones