SteelFox Trojan imitates popular products to drop stealer and miner malware

In August 2024, a new crimeware bundle named “SteelFox” was identified, characterized by its sophisticated execution mechanisms, including shellcoding and exploitation of Windows services and drivers. SteelFox is disseminated through forum posts, torrent trackers, and blogs, masquerading as key generators for well-known software such as Foxit PDF Editor and AutoCAD. This malware not only serves as a conduit for further malicious payloads but also employs stealer malware functionalities to capture sensitive information such as credit card data and comprehensive device details.

The malware employs an initial attack vector via forums and torrent trackers that present the SteelFox dropper as a means to gain free access to legitimate software. For instance, one version of the dropper, disguised as a crack for Foxit PDF Editor, is marked as “foxitcrack.exe.” After seeking administrator privileges under the guise of software installation, the dropper unpacks its malicious payload, which is subsequently executed on the user’s machine.

The dropped code is decrypted using the AES-128 algorithm, with the decryption process employing a sophisticated method for encryption key handling. Following the decryption, the embedded payload, essentially a PE64 executable, is obfuscated to escape detection, employing techniques such as randomizing timestamps and inserting extraneous data. The malicious executable is written to one of several specified directories associated with common software applications.

Once executed, SteelFox creates a service to ensure persistence on the system, operating under the guise of legitimate Windows services. This service uses verification measures to confirm that it is running in the correct context, thwarting attempts at debugging to enhance its concealment. The malware’s loader performs several preparatory tasks, including function table creation and the implementation of persistent components, prior to launching the main payload.

The finalized component of SteelFox deploys a modified version of the XMRig miner, which is utilized for cryptocurrency mining. It connects to a designated mining pool using hardcoded credentials, and it leverages vulnerabilities in the WinRing0 driver to escalate privileges to NT\SYSTEM, thereby amplifying its control over the compromised system. This sophisticated interaction with system drivers allows SteelFox to perform various illicit activities undetected.

Communication with its command and control (C2) infrastructure is encrypted via TLSv1.3, employing libraries like Boost.Asio and wolfSSL for secure data transfer. The malware was designed with SSL pinning as a countermeasure against interception, ensuring that communication can remain confidential. Once connected to the C2 server, SteelFox retrieves a suite of user data that it systematically collects from the victim’s device.

The data collection phase involves scraping sensitive information from various web browsers, such as cookies and credit card details, alongside broader system information, including installed software and network configurations. This data is aggregated into a JSON file and sent back to the operators of the C2 server, facilitating extensive identity theft and fraud opportunities.

SteelFox does not focus on specific targets but instead operates on a broad scale, affecting numerous users who inadvertently download its components. The campaign has been detected multiple times across various regions, with heightened incidences noted in countries like Brazil, China, and Russia among others. This suggests a global outreach and impact of the malware.

No specific attribution can be confirmed for this campaign, as the forums and platforms used to disseminate SteelFox are often populated by either compromised accounts or naive users. The campaign has gained significant traction on Chinese platforms and Russian torrent sites, indicating a diverse distribution strategy.

Ultimately, the emergence of SteelFox highlights the growing sophistication of malware, combining modern programming techniques with advanced evasion tactics. Its reliance on secure communication and data mining capabilities poses a considerable threat, underscoring the critical need for users to source software from verified outlets and utilize reputable security solutions to avert infection. Recognizable indicators of compromise associated with SteelFox include particular file hashes, specific file paths, and known domains used in its operation.