Hackers predominantly target Windows systems, as they dominate the desktop OS market, with over 80% of systems running Windows. Nearly 50% of attacks involve compromised Windows systems, making it a prime target.
Recently, Kaspersky researchers discovered a new malware strain called “SteelFox,” which has infected more than 11,000 Windows devices under the guise of software activators. Spotted in August 2024, SteelFox spreads through forums, torrent sites, and blogs as supposed cracks for popular software like Foxit PDF Editor and AutoCAD.
SteelFox utilizes a complex infection process. It initially disguises itself as a crack executable, which, once launched, downloads and executes malicious code on the system. This malware gains SYSTEM privileges by installing itself as a Windows service, allowing it to persist and perform higher-privileged actions like stealing credentials and credit card data. Kaspersky identified it under detection names such as HEUR
.Win64.SteelFox.gen.
The malware communicates with its command-and-control (C2) server using SSL-pinning and TLSv1.3 protocols via a randomly generated IP address and shifting domain, making it difficult to detect. After establishing the C2 connection, SteelFox’s stealer module collects sensitive data, including browser cookies, credit card details, browsing history, and network information, which it sends back to the attacker in encrypted JSON files.
Using a vulnerable WinRing0.sys driver, SteelFox can escalate privileges and compromise the infected system further. Its indiscriminate infection approach targets any Windows user attempting to use fake activators or cracks, although the origins and specific actors behind this campaign remain unknown.