Keypoints
- SteelFox is distributed through malicious forum posts, torrent trackers and fake activators for popular software (Foxit, AutoCAD, JetBrains).
- The malware communicates with its C2 via TLSv1.3, uses SSL pinning, DoH/Google DNS and dynamic IPs to evade detection.
- Privilege escalation is achieved by installing and abusing the vulnerable WinRing0.sys driver to obtain NT SYSTEM privileges.
- SteelFox includes a stealer that extracts browser cookies, credit card data, Wi‑Fi passwords, system and user information and more.
- The bundle also deploys a modified XMRig miner (downloaded from GitHub repos) to mine cryptocurrency using infected hosts.
- Kaspersky detects the family as HEUR:Trojan.Win64.SteelFox.gen and Trojan.Win64.SteelFox.* and has recorded over 11,000 detections worldwide.
MITRE Techniques
- [T1071] Command and Control – Uses a C2 domain and encrypted channels to maintain communication (‘SteelFox resolves the IP address behind the ankjdans[.]xyz domain which serves as a C2 server.’).
- [T1068] Privilege Escalation – Gains NT SYSTEM by installing and communicating with a vulnerable driver (‘creates a service with a WinRing0.sys driver running inside… allowing the actor to elevate privileges to NTSYSTEM’).
- [T1003] Credential Dumping – Harvests stored credentials and browser artifacts (‘It extracts cookies, credit card data, browsing history…’).
- [T1041] Exfiltration Over C2 Channel – Sends collected data as an encrypted JSON to C2 via TLSv1.3 (‘Data is then combined into one large JSON that is sent to C2.’).
- [T1203] Exploitation for Client Execution – Executes malicious payloads disguised as legitimate software activators (‘The initial stage of the SteelFox campaign is an AMD64 executable under the name foxitcrack.exe… the files are unpacked and malicious code is dropped.’).
Indicators of Compromise
- [File Hash] Payload/loader examples – fb94950342360aa1656805f6dc23a1a0 (payload), 5029b1db994cd17f2669e73ce0a0b71a (loader).
- [Filenames] Droppers/loaders – jetbrains-activator.exe, FoxitPatch.exe (used as fake activators and service binaries like lpsad.exe / AGSService.exe).
- [Domains/IPs] C2 and infrastructure – ankjdans[.]xyz, 205.185.115[.]5.
- [Malicious URLs] Hosting/repos used to distribute droppers – hxxps://raw[.]com/…/jetbrains-activator.exe and hxxps://github[.]com/cppdev-123 (and other GitHub repos listed).
- [File Paths] Persistence targets – C:Program FilesFoxit SoftwareFoxit PDF EditorpluginsFoxitPDFEditorUpdateService.exe; C:Program FilesAutodeskAdODISV1Setuplpsad.exe.
SteelFox is a modular crimeware bundle discovered in August 2024 that lures victims with cracked installers and fake activators for popular applications. The dropper presents a legitimate GUI and unpacks an embedded PE payload that is AES‑encrypted and modified (timestamp/linker changes and junk insertion) to avoid hash-based detection before writing a service binary into common Program Files locations.
Once running as a service, the loader performs checks, decrypts and injects additional stages via shellcode, and then installs a WinRing0.sys driver to escalate privileges to NT SYSTEM by exploiting known CVEs. The final stage launches a modified XMRig miner (retrieved from GitHub repositories) and a stealer component that enumerates many browsers and extracts cookies, credit cards, Wi‑Fi passwords, system info and more; collected data is assembled into JSON and exfiltrated to a C2 resolved via DoH and contacted over TLSv1.3 with SSL pinning.
The campaign is opportunistic and widespread, with thousands of detections and victims across many countries. Recommended defenses include installing software only from official sources, blocking known malicious URLs/domains, monitoring for unusual service/driver installations (WinRing0), and using a reputable endpoint security solution to detect and block this family.
Read more: https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/