Discovery of SteelFox Crimeware
In August 2024, our team identified a new strain of crimeware, dubbed SteelFox. This sophisticated malware operates through a complex chain that incorporates shellcode and exploits various Windows services and drivers. The Trojan is disseminated via forums, torrent trackers, and blogs, masquerading as popular software such as Foxit PDF Editor and AutoCAD. It employs a stealer component to harvest sensitive data, including victims’ banking information and device details.
The report summarizes key findings:
- SteelFox spreads through forum posts and malicious torrents.
- Communication with the command server utilizes SSL pinning and TLS 1.3, leveraging a domain with a dynamic IP address and the Boost.Asio library.
- SteelFox can escalate privileges by exploiting a vulnerability in drivers.
Kaspersky Lab products identify this threat as
HEUR:Trojan.Win64.SteelFox.gen,
Trojan.Win64.SteelFox.*.
Technical Insights
Background
The emergence of SteelFox traces back to a widespread infection detected in August 2024, involving an unknown package comprising a miner and a stealer. Our investigation revealed that the campaign commenced in February 2023. While the stealer has not undergone significant changes, attackers continue to modify it to evade detection, updating necessary dependencies without introducing new features.
Initial Infection
Our investigation concluded that the initial attack vector for SteelFox stemmed from several posts on forums and torrent trackers. These posts promoted the SteelFox dropper as an effective means for free activation of legitimate software products. We identified a dropper masquerading as an activator for Foxit PDF Editor, JetBrains products, and AutoCAD. Although these droppers fulfill their claimed functions, they simultaneously deliver sophisticated malware onto the user’s computer.
SteelFox Dropper
This analysis focuses on a sample masquerading as an activator for Foxit PDF Editor. The initial phase of the SteelFox campaign involves an AMD64 executable named
foxitcrack.exe, which contains a substantial section of
.rdata. The high entropy of the file indicates it is packed. Upon execution, the program presents a graphical interface prompting the user to specify the installation directory for Foxit PDF Editor.
As the installation directory for Foxit resides in the Program Files folder, FoxitCrack requests administrator rights, which are subsequently exploited for malicious purposes. The execution chain appears legitimate until the files are unpacked. A malicious payload is inserted before the legitimate function, responsible for delivering the malicious code into the target user’s system.
Initially, the second stage (the delivered malicious code) is decrypted using the AES-128 algorithm, with its parameters also encrypted—these are decrypted only after delivery by the first stage. The decryption scheme is as follows:
for (int i = 0; i < 256; i++) {
SBox[i] = enc_Sbox[i + 16] ^ enc_SBox[i % 16];
}
for (int i = 0; i < 8; i++) {
key[i] = enc_key[i + 8] ^ enc_key[i % 8];
iv[i] = enc_iv[i + 8] ^ enc_iv[i % 8];
}
The AES-128 algorithm is implemented using SIMD vector instructions, necessitating that the payload be divided into 16-byte blocks. In later versions of the dropper, the authors have adopted this algorithm using the AES-NI instruction set extension, maintaining the requirement for payload alignment.
Subsequently, the embedded payload, which is a PE64 executable file, is modified to avoid detection. The linking timestamps are overwritten with a random date between May and December 2022, and the linker version is also altered. Additionally, random junk data is inserted into the
.rdata section to evade hash detection, utilizing a built-in PE parser.
The delivered PE is written to one of three paths, depending on the dropper sample:
- C:Program FilesFoxit SoftwareFoxit PDF EditorpluginsFoxitPDFEditorUpdateService.exe
- C:Program Files (x86)Common FilesAdobeAdobeGCClientAGSService.exe
- C:Program FilesAutodeskAdODISV1Setuplpsad.exe
The parameters for the malicious service are initialized accordingly. Following this, the second-stage loader creates a service that adds itself to the startup, allowing it to persist within the system and remain active even after a reboot.
SteelFox Loader
This service is initiated from
svchost.exe as a standard Windows service. Initially, it determines the full name of the current executable file and compares it with the names of service binaries to ensure that the loader was indeed launched as a service. If the verification is successful, it retrieves a list of all active services (with the status
SERVICE_ACTIVE) along with the executable file path and description. This unusual method serves as a check against debugger usage—if the binary is not executed as a service, the loader throws an exception and terminates. This obfuscation algorithm is embedded in the loader’s code, but after deobfuscation, it appears as follows:
vector vec;
get_services_list(vec);
std::wstring serv_name;
GetModuleFileNameW(0, exec_name, 256);
for (auto service : vec) {
SC_HANDLE hService = open_service(service.lpServiceName);
LPCWSTR *bin_name = get_service_bin_path(hService, service.lpServiceName);
if (!wstrcmp(exec_name, bin_name) {
serv_name = service.lpServiceName;
break;
}
}
if (serv_name.empty()) {
throw std::system_error;
}
If these checks pass, the malware creates a function table that allows the attacker to execute decryption and generate shellcode. The loader also includes a random number generator and fillers.
The execution flow then transitions to the function
StartServiceCtrlDispatcherW. This registers a dispatcher with a function responsible for decrypting and injecting the malicious code. This function monitors the service’s state, handling commands for restarting and stopping the service, among other tasks.
Before executing the payload, the malware employs an unusual mechanism for system pinning—a small yet crucial step. This phase initiates the AppInfo service, subsequently loading into it. As a result, the user cannot perform any actions against this loader, as even copying this sample requires NTSYSTEM privileges.
The target DLL is loaded using malicious shellcode and encrypted with AES-128 in the same manner as the initial stage. Decryption in later versions is also implemented using AES-NI instructions.
The malicious shellcode is loaded in three primary stages. Initially, it creates an array of WinAPI function addresses that will be executed within the shellcode.
Next, the payload is decrypted using a straightforward XOR algorithm. Upon decryption, the shellcode is executed with specified parameters. The shellcode serves as a basic loader—it utilizes imported WinAPI functions to allocate memory for loading the final stage and accessing library functions. This shellcode does not implement any debugging protection mechanisms, functioning merely as a basic PE loader for the final stage.
Final Stage of SteelFox
Initially, this stage (DLL) creates a mutex with a randomly generated name, as its network operations heavily rely on multithreading and asynchronous network I/O. Subsequently, it performs a critical task—creating a service with an active driver
WinRing0.sys. This service is assigned a channel named
.WinRing0_1_2_0, enabling the process to interact with the driver. This is a relatively old driver containing vulnerabilities CVE-2020-14979 and CVE-2021-41285, which allow the attacker to escalate privileges to NTSYSTEM once direct unchecked interaction with the driver is permitted, enabling control over the data transmitted to the driver. This driver is also a component of the XMRig miner. Communication with the driver occurs in a separate thread.
Following driver initialization, the sample launches the miner, which is a modified executable file of XMRig with junk code. It connects to a mining pool using specified credentials.
The XMRig component is loaded from one of the repositories
hxxps://github[.]com/cppdev-123. It appears to be updated periodically—presumably to avoid detection of older versions.
Subsequently, the malware resolves an IP address to the domain
ankjdans[.]xyz, which serves as the command server. Although the domain is hardcoded, changing IP addresses helps the attacker remain undetected. SteelFox performs resolution using Google Public DNS and DNS over HTTPS (DoH), enabling the attacker to obscure the domain resolution process.
Upon successfully resolving the IP address, the malware connects to its command server using TLS 1.3. This I/O model employs libraries such as Boost.Asio and wolfSSL, allowing the attacker to implement full TLS 1.3 interaction. Unlike version 1.2, TLS 1.3 generates a session secret key based on a pre-selected private key during the connection establishment phase. In this instance, the shared secret key is generated using a cryptographically secure random number generator from Windows. Furthermore, SteelFox fully implements SSL certificate pinning, eliminating the possibility of data interception during SSL transmission. Notably, SSL certificate pinning is exclusively enabled for communication with the command server.
Victims
This campaign does not target individuals or specific organizations. The Trojan operates on a large scale, infecting anyone who encounters compromised software—at the time of our investigation, our protective solutions detected this threat over 11,000 times. The attack primarily targets users of various popular software, including AutoCAD, JetBrains products, and Foxit. Victims of this campaign span the globe, with the majority located in Brazil, China, Russia, Mexico, the UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka.
TOP 10 countries attacked by SteelFox, August–September 2024 (download)
Attribution
Attribution for this specific campaign is challenging. Posts containing links to activators were either made from hacked accounts or by inexperienced users unaware of the threats they were disseminating. This campaign was actively conducted on the Chinese platform Baidu and Russian torrent trackers.
Conclusions
SteelFox has recently emerged as a fully functional crimeware package. The Trojan is capable of exfiltrating various user data that may interest the orchestrators of this campaign. The adept use of modern C++ combined with third-party libraries endows this malware with extensive capabilities. The implementation of TLS 1.3 and SSL certificate pinning ensures secure communication and the acquisition of confidential data.
SteelFox does not target specific organizations or individuals. The Trojan operates broadly, extracting any information that can be further processed. To protect against such threats, it is advisable to install applications from official sources and utilize robust security solutions to prevent the download of infected programs.
Note: The indicators provided in this section are valid as of the time of publication.
File Hashes
Payload
fb94950342360aa1656805f6dc23a1a0
Loader
Dropper
File Paths
C:Program Files (x86)Foxit SoftwareFoxit PDF EditorpluginsFoxitPDFEditorUpdateService.exe
C:Program Files (x86)Common FilesAdobeAdobeGCClientAGSService.exe
C:Program FilesAutodeskAdODISV1Setuplpsad.exe
PDB File Paths
d:hotprojectwinring0sourcedllsyslibamd64WinRing0.pdb
Domains and IP Addresses
hxxps://ankjdans[.]xyz
205.185.115[.]5
Malicious URLs
hxxps://github[.]com/DavidNguyen67/CrackJetbrains
hxxps://github[.]com/TrungGa123/Active-all-app-Jetbrains/
hxxps://github[.]com/tranquanghuy-09/activate-intellij-idea-ultimate/
hxxps://github[.]com/TaronSargsyan123/ScaraSimulation
hxxps://raw.githubusercontent[.]com/tranquanghuy-09/activate-intellij-idea-ultimate/main/jetbrains-activator.exe
hxxps://raw.githubusercontent[.]com/TaronSargsyan123/ScaraSimulation/main/jetbrains-activator.exe
hxxps://raw.githubusercontent[.]com/TrungGa123/Active-all-app-Jetbrains/main/jetbrains-activator.exe
hxxps://raw.githubusercontent[.]com/DavidNguyen67/CrackJetbrains/main/jetbrains-activator.exe
hxxps://www.cloudstaymoon[.]com/2024/05/06/tools-1
hxxps://squarecircle[.]ru/Intelij/jetbrains-activator.exe
hxxps://drive.google[.]com/file/d/1bhDBVMywFg2551oMmPO3_5VaeYnj7pe5/view?usp=sharing
hxxps://github[.]com/cppdev-123
Windows Commands Used by the Attacker
