Kaspersky researchers have discovered traces of a new malware attacking Windows computers. Baptized SteelFoxthe virus has been operating since February 2023, but has accelerated the pace in recent months. This “new set of crimeware” abuse “Windows services and drivers”.
According to Kaspersky's investigation, SteelFox is spread through forum posts or torrent files that promise access to cracked software, like AutoCAD. Internet users will then download a compressed file to their computer. Once unzipped, the file will install the malware.
In fact, the file execution process appears legitimate until the decompression stage. At that point, a malicious function is injected, which results in the virus entering the scene, reports the Kaspersky report:
“Before a legitimate function, a malicious function is inserted which is responsible for dropping malicious code onto the target user's system.”
Also read: Data theft in progress on Windows – a wave of malicious ads is sweeping PCs
Clandestine crypto mining
SteelFox is described as a dropper virusor dropper in French. In short, the malware is programmed to install other viruses later. It is the gateway to all abuses, including the theft of personal data.
As Kaspersky found, SteelFox is also programmed to execute the file WinRing0.sys, a driver vulnerable to several flaws security. It will exploit vulnerabilities to Obtain system-level privilege escalation. The virus ultimately gains unlimited access to all the machine's resources.
In the process, the malware will take advantage of this to mine cryptocurrencies without your knowledge by relying on the computing power of your computer. In this case, cybercriminals generate Monero, the crypto considered untraceable, with XMRig. This open source software will degrade PC performance while enriching hackers. It is through SteelFox that a modified version of XMRig is installed on the machine. A few months ago, XMRig was already found in the code of pirated versions of Microsoft Office.
13 targeted web browsers
Finally, SteelFox takes the opportunity to siphon data from 13 web browsers, namely Google Chrome, Opera, Opera GX, Brave, Firefox, Yandex, Wave, Midori, Avast, Vivaldi, Dragon, Chedot, and Coc Coc. The malware mainly targets stored credit cards, browsing history and cookies. This is sensitive data that can lead to bank account looting or other offensives. On Mozilla Firefox, it also takes the time to collect the list of visited places.
“SteelFox does not target any specific organization or person. Instead, it acts on a mass scale, extracting every bit of data that can be processed later.”explains Kaspersky.
The SteelFox-based campaign is behind“a massive infection” identified by Kaspersky in August 2024. For the moment, SteelFox victims reside in countries outside Europe, such as Brazil, China, Russia, Mexico, United Arab Emirates, Egypt, Algeria, Vietnam , India and Sri Lanka.
???? To not miss any news from 01net, follow us on Google News and WhatsApp.
Source :
Kaspersky
