A new cyber threat is sweeping across the globe, specifically targeting Windows users through a cunningly deceptive approach. Dubbed “SteelFox,” this malware package employs counterfeit software activators to infiltrate Windows systems, deploying tools for cryptocurrency mining and data theft that have already impacted tens of thousands of computers worldwide.
According to experts at Kaspersky, the distribution of SteelFox has been rampant since February 2023, with cybercriminals leveraging torrent sites and online forums as their primary channels. The malware masquerades as legitimate “cracks” or “activators” for widely-used software such as AutoCAD, JetBrains, and Foxit PDF Editor. Users, lured by the promise of free access to expensive software, unwittingly open the door for hackers to breach their systems.
How the SteelFox malware operates
Upon downloading and installing these deceptive activators, users inadvertently install a risky driver known as WinRingO.sys. This driver exploits two previously patched vulnerabilities—CVE-2021-41285 and CVE-2020-14979—reopening them for malicious use. By leveraging these vulnerabilities, attackers gain comprehensive access to the infected computer, allowing them to manipulate the system and exploit its resources.
One of the primary tools employed by these hackers is a cryptocurrency miner called XMRig. This software commandeers the system’s processing power, electricity, and internet bandwidth to mine Monero and other cryptocurrencies, a practice commonly referred to as crypto jacking. The consequences are significant: users may experience slower performance, overheating issues, and inflated utility bills due to the excessive resource consumption.
In addition to mining, the malware features an “info stealer” program that extracts sensitive data from over 13 web browsers, including credit card numbers, browsing history, and login credentials. This stolen information can be exploited for further attacks or sold on the dark web, increasing the risk of identity theft and financial loss. Furthermore, hackers establish a Remote Desktop Protocol (RDP) connection, ensuring they can maintain control over the compromised device at will.
A growing global issue
Kaspersky’s findings indicate that SteelFox is not confined to any particular region; rather, it poses a global threat. Countries experiencing high rates of infection include Mexico, Brazil, Russia, China, the United Arab Emirates, Algeria, Egypt, Vietnam, Sri Lanka, and India. The number of reported infections continues to rise, with Kaspersky blocking over 11,000 attempted attacks thus far, although the actual figure may be significantly higher.
The malware’s stealthy nature complicates detection, as it mimics the standard software installation process, creating an illusion of legitimacy until the harmful code is unleashed. Kaspersky has cautioned that some online posts provide detailed instructions for illegally launching the software, inadvertently encouraging users to bypass paid licenses and invite SteelFox into their systems.
How to stay safe from SteelFox
As threats like SteelFox proliferate, cybersecurity experts emphasize the importance of downloading software exclusively from official and verified sources. Relying on torrents and unofficial websites can easily lead to unintentional device compromise. Additionally, maintaining robust and up-to-date antivirus software is crucial. Trusted products from reputable providers, such as Bitdefender, can effectively detect and block threats like SteelFox before they can establish a foothold in your system.
Implementing preventive measures is vital to protect your data and computing resources. Avoid pirated software, utilize strong and unique passwords, and ensure that your operating system and all applications are current with the latest security patches. While SteelFox represents a serious threat, these proactive steps can significantly diminish your risk of becoming a victim.
