‘SteelFox’ Malware Blitz Infects 11K Victims With Bundle of Pain

Category	Details
Threat Actors	Unidentified; deploying the SteelFox malware campaign.
Campaign Overview	Active since February 2023, SteelFox is a mass-targeting data-stealing and cryptomining campaign infecting over 11,000 users globally via fraudulent activators for applications like AutoCAD, JetBrains, and Foxit PDF Editor.
Target Regions	Brazil, China, Russia, Mexico, UAE, and others.
Methodology	Distributed through forum posts and torrents posing as software activators. Executes encrypted payloads, modifies system files, and evades detection with SSL pinning, TLSv1.3 encryption, and persistent Windows services.
Product Targeted	AutoCAD, JetBrains, Foxit PDF Editor, and other applications targeted through fraudulent activators.
Malware Reference	SteelFox: Includes data stealer and XMRig cryptominer with hardcoded mining pool credentials.
Tools Used	- Sophisticated execution chain - SSL pinning and TLSv1.3 encryption - Windows services for persistence - Modified PE64 payload with random junk data for obfuscation.
Vulnerabilities Exploited	Not linked to specific CVEs but leverages users’ trust in illegal activators for initial access.
TTPs	- Initial Access (T1195): Malicious activator delivery. - Defense Evasion (T1070): Encrypted payloads, modified timestamps, and junk data. - Credential Dumping (T1003): Browser and network information theft.
Attribution	No definitive attribution, but behaviors align with sophisticated cybercriminal operations.
Recommendations	- Avoid pirated software or illegal activators. - Use endpoint detection and response (EDR) solutions. - Monitor TLS traffic for anomalies. - Strengthen user education on software sourcing risks. - Regular patching.
Source	Darkreading

Read full article: ‘SteelFox’ Malware Blitz Infects 11K Victims
Disclaimer: The above summary has been generated by an AI language model.