Fraudulent blogs that advertise the SteelFox malware dropper include comprehensive instructions on how to activate the program illegally. According to the researchers, users infect their systems with malware even though the dropper does contain the promised capability. Adding the crack necessitates administrator access, which the malware employs later in the attack because the software that is being illegally activated is usually installed in the Program Files.

According to the experts, the execution chain appears authentic until the files are unpacked. They clarify that the procedure introduces a malicious function that affects the machine code that loads SteelFox. With admin privileges secured, SteelFox launches a service that contains the WinRing0.sys driver, which is susceptible to CVE-2020-14979 and CVE-2021-41285 vulnerabilities and can be used to escalate privileges to the NT/SYSTEM level. These rights grant unfettered access to any resource and process and are the most powerful on a local system, surpassing those of an administrator.

Because it is a component of the XMRig application for mining Monero coins, the WinRing0.sys driver is also utilized for cryptocurrency mining. According to the researchers, the threat actor connects to a mining pool using hardcoded credentials using a modified version of the miner software. The malware then uses TLS v1.3 and SSL pinning to connect to its command-and-control (C2) server, preventing communication from being intercepted. Additionally, it turns on the info-stealer component, which gathers information about the system, network, and RDP connection from 13 web browsers.

The researchers point out that SteelFox gathers information from browsers, including cookies, browsing history, and payment card information. The threat actor can conceal SteelFox's hardcoded C2 domain by changing its IP addresses and resolving them using Google Public DNS and DNS over HTTPS (DoH). Although SteelFox attacks lack explicit targets, they seem to target users of Foxit PDF Editor, JetBrains, and AutoCAD.

The malware infiltrates computers in Brazil, China, Russia, Mexico, the United Arab Emirates, Egypt, Algeria, Vietnam, India, and Sri Lanka. Despite being relatively new, SteelFox is a fully functional crimeware package. The malware's analysis reveals that its creator is proficient in C++ programming and was able to integrate external libraries to produce a powerful piece of malware.

Impact

• Unauthorized Access
• Sensitive Data Theft
• Financial Loss
• Privilege Escalation

Indicators of Compromise

IP

• 205.185.115.5

MD5

• 5029b1db994cd17f2669e73ce0a0b71a
• 9dff2cdb371334619b15372aa3f6085c
• c20e1226782abdb120e814ee592bff1a
• c6e7c8c76c7fb05776a0b64699cdf6e7

SHA-256

• 8d9abb726799da54909ebd7a9c356b990fd68175945e6c05e64de18ca7d1d3d8
• 3e52c0b97f67287c212e5bc779b0e7dd843fb0df2ef11b74e1891898d492782c
• 9954fd4e914f2427c25ba0a4b3d305819a71d648b05fc94d108c0459795f077d
• d625bc9ea13d56825bd3c63698743e329564ca384d51f24d417a7171df498992

SHA-1

• 287e09c8ad36b93588e7eeb678a8d9e76c293cbb
• ea651af34bfe2052668e37bcd3f60696ebaffa1c
• 993d944aa84e851c48f960cf018e4abe18ec5cd9
• f608cc545f3dbeed9822186e3ab11f7069543d1f

URL

• https://ankjdans.xyz/
• https://github.com/DavidNguyen67/CrackJetbrains
• https://github.com/TrungGa123/Active-all-app-Jetbrains/
• https://www.cloudstaymoon.com/2024/05/06/tools-1
• https://squarecircle.ru/Intelij/jetbrains-activator.exe
• https://drive.google.com/file/d/1bhDBVMywFg2551oMmPO3_5VaeYnj7pe5/view?usp=sharing

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.