Thousands of people, including many who use applications such as AutoCAD, JetBrains, and the Foxit PDF editor, have become victims of a sophisticated data-stealing and crypto-mining malware campaign active since February 2023. The as-yet-unidentified threat behind it is distributing the malware via forum posts and illegal torrents. What makes the malware challenging to mitigate is its use of SSL pinning and TLSv1.3 encryption to protect its command-and-control (C2) communications and data exfiltration activities against interception and analysis.
Researchers who discovered the malware are tracking it as "SteelFox." In a report this week, they described the threat as not targeting any user, group, or organization specifically. "Instead, it acts on a mass scale, extracting every bit of data that can be processed later," the security vendor's researchers noted. "The highly sophisticated usage of modern C++ combined with external libraries grant this malware formidable power." Over 11,000 people have fallen victim to the malware bundle, mostly across ten countries, including Brazil, China, Russia, Mexico, and the United Arab Emirates.
In each case, the initial access resulted from people acting on posts that advertised SteelFox as an efficient application activator, i.e., a tool that allows users to bypass licensing mechanisms and activate a commercial application for free. The apps that SteelFox purported to be activators of included Foxit PDF Editor, JetBrains, and AutoCAD. "While these droppers do have the advertised functionality, they also deliver sophisticated malware right onto the user’s computer," the researchers wrote.
The analysis of the SteelFox activator for JetBrains showed that once it has initial access, the malware asks for administrative access to the user's system. It then uses that access to install the application activator in the computer's Program Files folder. SteelFox also drops a malicious Portable Executable file for 64-bit Windows systems (PE64) during the process. The file goes through a series of execution steps before retrieving and deploying a modified version of the XMRig coin miner with hardcoded credentials to a mining pool.
The malware then connects to its C2 server, triggering a separate data stealer component. The stealer first enumerates or determines the browsers on the victim's systems and deploys functions for stealing a range of data, including credit card data, cookies, browsing history, and a list of sites the user might have visited. Other data that was found the stealer pilfering from compromised systems included information on all installed software, network info such as wireless interfaces and passwords, drive names and types, user information, and RDP session information.
The security vendor pointed to several mechanisms that the malware authors have implemented to make it hard for defenders to detect and mitigate against the threat. The initial stage executable, for instance, is encrypted, making analysis harder. After deployment, the initial PE64 payload is modified by overwriting time stamps and inserting random junk data to avoid detection. For persistence, the second-stage payload creates a Windows service and configures it to auto-start, ensuring the malware remains active through system reboots. Before the actual payload execution, the malware launches and loads from inside a Windows service that requires privileges unavailable to most users. This makes any user actions against this loader impossible because copying this sample requires NT\SYSTEM privileges.
SteelFox's use of SSL pinning, where a client application or device uses a specific certificate or public key and the TLSv.3 encryption protocol for C2 communication is another issue because it allows the malware to operate covertly with a low risk of detection. SteelFox has emerged recently, and it is a full-featured crimeware bundle. It can steal various user data that might be of interest to the actors behind this campaign.
SteelFox is only the latest manifestation of what security researchers have described as the growing sophistication that threat actors have begun incorporating into their malware and tactics. Another recent example is CRON#TRAP, a campaign where a threat actor uses custom-emulated QEMU Linux environments to stage malware and execute malicious commands near-undetectable. In May 2024, Elastic Security reported GhostEngine, a multimodal malware toolkit that, among other things, has functions for effectively killing endpoint detection and response mechanisms. The proliferation and easy availability of generative AI (GenAI) tools also has fueled some recent innovations around malware tactics, especially in influence operations and misinformation campaigns.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments