Skip to content

SteelFox Trojan spreads via forums disguised as Foxit, AutoCad

  • by
  • 4 min read

A sophisticated trojan, SteelFox, targets unsuspecting users by disguising itself as legitimate software and spreading widely through forums, torrent sites, and blogs. The trojan impersonates popular applications like Foxit PDF Editor and Auto CAD and secretly harvests users’ sensitive information, exploiting vulnerabilities in Windows services to elevate its privileges and establish persistent system control.

Threat actors often introduce SteelFox through ‘cracks’ for popular software, promising free activation of licensed programs. However, this dropper mimics legitimate functionality and unleashes a multi-stage attack.

SteelFox operates indiscriminately worldwide. With over 11,000 detections as of September 2024, most infections have been reported in Brazil, China, Russia, Mexico, and several other countries. Attackers use prominent platforms like Baidu and Russian torrent sites to propagate SteelFox, effectively reaching a global audience.

“Our investigation has led us to the fact that SteelFox’s initial attack vector consists of various publications on forums and torrent trackers. These posts refer to the SteelFox dropper as an efficient way to activate a legitimate software product for free. We’ve seen the dropper pretend to be a crack for Foxit PDF Editor, JetBrains and AutoCAD,” researchers noted.

When a user launches what appears to be an installer or activator, SteelFox first requests administrator permissions. This access enables the malware to implant harmful code before installing the advertised software.

Victims of SteelFox by country. | Source: Securelist

Researchers discovered that the initial payload is encrypted using AES-128, designed to avoid detection through an embedded PE parser that conceals details like timestamps and executable headers. In subsequent updates, the developers employed the AES-NI instruction set to streamline encryption.

Once SteelFox has taken hold, it plants additional malware within system files, embedding itself deeply within common directories associated with Foxit, Adobe, and Autodesk. The malware then registers itself as a Windows service, making it challenging to detect and remove.

Additionally, SteelFox uses a sophisticated loader that verifies it’s running within a legitimate service, performing complex security checks to avoid debugger detection.

One standout feature of SteelFox is its secure communication model. Once embedded, the malware communicates with its C2 server via dynamically assigned IP addresses.

This connection uses TLSv1.3 with SSL pinning, which locks down the communication channel and prevents interception. The attackers ensure end-to-end encryption using libraries like Boost.Asio.

Connection diagram. | Source: Securelist

The stealer component extracts valuable information from the victim’s browser, including cookies, credit card details, and browsing history. Beyond browsing data, SteelFox captures a comprehensive set of system parameters such as device information, installed software, antivirus presence, and even remote desktop session details.

SteelFox’s last stage activates a hidden crypto-mining function. This component downloads a modified XMRig miner from a GitHub repository, exploiting vulnerabilities in an outdated WinRing0.sys driver to elevate privileges. The mining process then runs covertly in the background, using system resources to mine cryptocurrency for the attackers.

As of now, no threat actor has been attributed to this campaign. However, the scale of the attack led researchers to believe that this campaign was the work of experienced hackers. The campaign’s massive distribution model indicates that it does not target specific individuals or organisations but casts a wide net to collect as much data as possible.

Researchers urged users to download software exclusively from the official website, use antivirus solutions, and to remain cautious of free software ‘cracks’ and activators found on forums and torrent sites.

In the News: Internet Archive restores ‘Save Page Now’ following major DDoS attack

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>