A new malicious package called ‘SteelFox’ has been discovered, using the “bring your own vulnerable driver” technique to gain SYSTEM privileges on Windows machines. The malware mines for cryptocurrency and steals credit card data by exploiting a vulnerable driver, WinRing0.sys, which can be exploited to obtain NT/SYSTEM level permissions.
The SteelFox campaign is distributed through various channels, including forums and torrent trackers, as a crack tool that activates legitimate software like Foxit PDF Editor, JetBrains, and AutoCAD. The malware was first detected in August 2023 but has increased distribution lately using multiple channels.
Kaspersky researchers say that the malware’s dropper provides complete instructions on how to activate the software, including adding a crack that requires administrator access. However, this also allows the malware to infect the system with malicious code.
Once infected, SteelFox creates a service that runs WinRing0.sys inside, which can be exploited to obtain privilege escalation to NT/SYSTEM level. The driver is used for cryptocurrency mining and establishes a connection with its command-and-control (C2) server using SSL pining and TLS v1.3.
The malware also activates an info-stealer component that extracts data from 13 web browsers, including credit cards, browsing history, and cookies. SteelFox attacks do not have specific targets but appear to focus on users of AutoCAD, JetBrains, and Foxit PDF Editor.
Kaspersky’s products detected and blocked SteelFox attacks over 11,000 times. The malware is considered a full-featured crimeware bundle, with analysis indicating that its developer is skilled in C++ programming.
Source: https://www.bleepingcomputer.com/news/security/new-steelfox-malware-hijacks-windows-pcs-using-vulnerable-driver/