Source: Wirestock Creators via Shutterstock
Thousands of people — including many using applications such as AutoCAD, JetBrains, and the Foxit PDF editor — have become victims of a sophisticated data-stealing and cryptomining malware campaign that's been active since at least February 2023.
The as-yet-unidentified threat actor behind it is distributing the malware via forum posts and illegal torrents. What makes the malware challenging to mitigate is its use of SSL pinning and TLSv1.3 encryption to protect its command-and-control (C2) communications and data exfiltration activities against interception and analysis.
Researchers at Kaspersky who discovered the malware are tracking it as "SteelFox." In a report this week, they described the threat as not targeting any user, group, or organization specifically. "Instead, it acts on a mass scale, extracting every bit of data that can be processed later," the security vendor's researchers noted. "The highly sophisticated usage of modern C++ combined with external libraries grant this malware formidable power."
More than 11,000 people appear to have fallen victim to the malware bundle, mostly across 10 countries, including Brazil, China, Russia, Mexico, and the United Arab Emirates.
The initial access in each case resulted from people acting on posts that advertised SteelFox as an efficient application activator — i.e., a tool that allows users to bypass licensing mechanisms and activate a commercial application for free. The apps that SteelFox purported to be an activator for included Foxit PDF Editor, JetBrains, and AutoCAD.
"While these droppers do have the advertised functionality, they also deliver sophisticated malware right onto the user’s computer," the researchers wrote.
Sophisticated Execution Chain
Kaspersky's analysis of the SteelFox activator for JetBrains showed that once it has initial access, the malware asks for administrative access to the user's system. It then uses that access to begin installing the application activator in the computer's Progra Files folder. During the process, SteelFox also drops a malicious Portable Executable file for 64-bit Windows systems (PE64). The file goes through a series of execution steps before retrieving and deploying a modified version of the XMRig coin miner with hardcoded credentials to a mining pool.
The malware then connects to its C2 server, at which point a separate data stealer component is triggered. The stealer first enumerates or determines the browsers on the victim's systems and deploys functions for stealing a range of data, including credit card data, cookies, browsing history, and a list of sites the user might have visited. Other data that Kaspersky found the stealer pilfering from compromised systems included information on all installed software, network info such as wireless interfaces and passwords, drive names and types, user information, and RDP session information.
The security vendor pointed to several mechanisms that the authors of the malware have implemented to make it hard for defenders to detect and mitigate against the threat. The initial stage executable, for instance, is encrypted, making analysis harder. The initial PE64 payload is modified, after deployment, by overwriting time stamps and inserting random junk data to avoid detection. For persistence, the second-stage payload creates a Windows service and configures it to auto start ensuring the malware remains active through system reboots. Before actual payload execution the malware launches and loads from inside a Windows service that requires privileges unavailable to most users.
"This makes any user actions against this loader impossible because even copying this sample requires NT\SYSTEM privileges," Kaspersky said.
A Growing Challenge for Defenders
SteelFox's use of SSL pinning — where a client application or device uses a specific certificate or public key — and the TLSv.3 encryption protocol for C2 communication is another issue because they allow the malware to operate covertly with a low risk of detection.
"SteelFox has emerged recently, and it is a full-featured crimeware bundle. It is capable of stealing various user data that might be of interest to the actors behind this campaign," Kaspersky's researchers wrote.
SteelFox is only the latest manifestation of what security researchers have described as the growing sophistication that threat actors have begun incorporating into their malware and tactics. Another recent example is CRON#TRAP, a campaign, where a threat actor is using custom-emulated QEMU Linux environments to stage malware and execute malicious commands in near-undetectable fashion. In May, Elastic Security reported GhostEngine a multimodal malware toolkit that, among other things, has functions for effectively killing endpoint detection and response mechanisms. The proliferation and easy availability of generative AI (GenAI) tools also has fueled some of the recent innovation around malware tactics, especially in influence operations and misinformation campaigns.