Virus descriptions, 08.11.2024, 10:00 AM
Kaspersky warns to a new crimeware called SteelFox that mines cryptocurrencies and steals credit card information using the “bring your own vulnerable driver” technique to gain system privileges on Windows computers. SteelFox’s dropper is distributed via forums and torrents as a tool that activates legitimate versions of software such as Foxit PDF Editor, JetBrains, and AutoCAD.
Exploiting a vulnerable driver for privilege escalation is common for state-sponsored hackers and ransomware groups.
Kaspersky discovered StealFox in August, but the company says the malware appeared as early as February last year. Lately, StealFox has been distributed through torrents, blogs and forums.
Kaspersky software has blocked 11,000 SteelFox attacks so far.
Posts promoting SteelFox contain instructions on how to illegally activate legal software. Dropper has that functionality, but with software activation, users also infect their systems with malware.
Activation software is usually installed in Program Files, and adding a crack requires administrator access, which the malware later uses.
Having secured administrative rights, SteelFox runs WinRing0.sys, a driver that is vulnerable to CVE-2020-14979 and CVE-2021-41285, and can be exploited for privilege escalation. The permissions it receives are the largest on the system, more powerful than the administrator’s and allow unlimited access to any resource and process.
The WinRing0.sys driver is also used for cryptocurrency mining, as it is part of the XMRig mining program for the Monero cryptocurrency.
It also activates an information-stealing component that extracts data from 13 web browsers, system, network, and RDP connection information. SteelFox collects browser data such as credit cards, browsing history and cookies.
SteelFox has no specific targets, but the attackers appear to be focused on AutoCAD, JetBrains and Foxit PDF Editor users. The largest number of attacks was registered in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India and Sri Lanka.
Photo: Gabriele Brancati | Pexels
Source: www.informacija.rs
