New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency

Category	Details
Threat Actors	Unattributed (Crimeware authors behind “SteelFox”).
Campaign Overview	SteelFox crimeware bundle distributed via malicious torrents and forums, imitating legitimate software like Foxit PDF Editor, AutoCAD, and JetBrains.
Target Regions (Victims)	Likely global, targeting individuals and organizations through pirated software.
Methodology	Distribution through torrents and forums; exploits Windows services and drivers, privilege escalation via vulnerable drivers, and persistence mechanisms.
Product Targeted	Windows systems
Malware Reference	SteelFox (bundle), FoxitCrack.exe (dropper), XMRig (modified miner), WinRing0.sys driver
Tools Used	AES-128 encryption (with AES-NI extensions), Boost.Asio library, XMRig miner, shellcode injection, vulnerable WinRing0.sys driver.
Vulnerabilities Exploited	CVE-2020-14979, CVE-2021-41285
TTPs	Use of malicious droppers, AES-encrypted payloads, dynamic IP domains, exploitation of vulnerable drivers, and mining cryptocurrency.
Attribution	Unknown; suspected financially motivated cybercriminal group.
Recommendations	Avoid using pirated software, monitor for signs of mining activity, enforce driver security patches, and use endpoint detection tools.
Source	Securelist by Kaspersky

Read full article: https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/

Disclaimer: The above summary has been generated by an AI language model