Quote:Introduction

In August 2024, our team identified a new crimeware bundle, which we named “SteelFox”. Delivered via sophisticated execution chains including shellcoding, this threat abuses Windows services and drivers. It spreads via forums posts, torrent trackers and blogs, imitating popular software like Foxit PDF Editor and AutoCAD.

It also uses stealer malware to extract the victim’s credit card data as well as details about the infected device.

This report in a nutshell:

• SteelFox is distributed via forum posts and malicious torrents.
  
• It communicates with its C2 via SSL pinning and TLSv1.3. It utilizes a domain with a dynamically changing IP, and it is implemented using Boost.Asio library.
  
• SteelFox can elevate its privileges through exploitation of a vulnerable driver.
  

Kaspersky’s products detect this threat as HEUR:Trojan.Win64.SteelFox.gen, Trojan.Win64.SteelFox.*.

Technical DetailsBackgroundIn August 2024, we stumbled upon a massive infection caused by an unknown bundle consisting of miner and stealer malware.

During our investigation, we found out that the campaign started in February 2023. Although the stealer has not evolved significantly since then, it is being gradually changed to avoid detection. No functional changes are being added, but the author updates all the required dependencies.

Infection timeline

Initial infectionOur investigation has led us to the fact that SteelFox’s initial attack vector consists of several various publications on forums and torrent trackers. These posts refer to the SteelFox dropper as an efficient way to activate a legitimate software product for free. We’ve seen the dropper pretend to be a crack for Foxit PDF Editor, JetBrains and AutoCAD. While these droppers do have the advertised functionality, they also deliver sophisticated malware right onto the user’s computer.

Malicious dropper advertisement

SteelFox dropperIn this research, we describe the sample imitating an activator for Foxit PDF Editor. The initial stage of the SteelFox campaign is an AMD64 executable under the name foxitcrack.exe with a large .rdata section. Judging by the high entropy, it seems that the file is packed. At the startup the program welcomes us with a GUI asking to choose the Foxit PDF Editor installation path.


Dropper GUI

Because Foxit’s installation directory resides in the “Program Files” folder, FoxitCrack asks for administrator access, which will be used for malicious purposes later.
The execution chain looks legitimate until the moment the files are unpacked. Prior to a legitimate function, a malicious one is inserted that is responsible for dropping malicious code onto the target user’s system.


Inserted malicious code

First, the second stage (the dropped malicious code) is decrypted with the AES-128 algorithm. Its parameters are also encrypted — they are decrypted once dropped by the first stage. The encryption scheme looks like this.

// Sbox decryption
for (int i = 0; i < 256; i++) {
SBox = enc_Sbox[i + 16] ^ enc_SBox[i % 16];
}

for (int i = 0 i < 8; i++) {
key[i] = enc_key[i + 8] ^ enc_key[i % 8];
iv[i] = enc_iv[i + 8] ^ enc_iv[i % 8];
}123456789// Sbox decryptionfor (int i = 0; i < 256; i++) {    SBox[i] = enc_Sbox[i + 16] ^ enc_SBox[i % 16];} for (int i = 0 i < 8; i++) {    key[i] = enc_key[i + 8] ^ enc_key[i % 8];    iv[i] = enc_iv[i + 8] ^ enc_iv[i % 8];}AES-128 is implemented via vector SIMD instructions, thus requiring the payload to be divided into 16-byte blocks.


Executable decryption

In later versions of the dropper, the actor implemented the same algorithm but used the AES-NI instruction-set extension. Since they operate with 16-byte blocks, it implies that the requirement for the payload size alignment remains in place.

Continue Reading...[/i][/i][/i][/i][/i]