Windows PCs have been subjected to intrusions involving the newly discovered SteelFox malware bundle dropper package that impersonates activators for widely used software, including JetBrains, AutoCAD, and Foxit PDF Editor, and exploits a vulnerable driver to facilitate cryptomining and data exfiltration activities, reports BleepingComputer.
Malicious posts detailing instructions for downloading cracked software on torrent trackers and forums enable deployment of SteelFox and acquisition of administrator access, which is then leveraged to establish a WinRing0.sys driver susceptible to privilege escalation via the CVE-2020-14979 and CVE-2021-41285 flaws, according to an analysis from Kaspersky. Such a driver triggers Monero miner delivery and connections to a command-and-control server, allowing the distribution of an information-stealing component, which pilfers data from more than a dozen browsers, as well as software details, user, network and system information, remote desktop protocol connections, processes, environment variables dump, drives, and available SIM information, said Kaspersky researchers, who also noted concealed operations via IP address switching.