Several experts have warned that hackers are using malware to attack Windows systems with the intention of mining cryptocurrency and stealing sensitive information from their devices.
The latest Kaspersky Security Report claims to have spotted tens of thousands of infected endpoints. Cybercriminals have obtained fake cracks and activators for several commercial software products, such as Foxit PDF Editor, JetBrains, or AutoCAD, which they are selling to users.
There is a vulnerability in a driver called WinRing0.sys that is associated with some fake cracks. The victim of this attack has reintroduced the CVE-2020-14979 and the CVE-2021-41285 vulnerabilities back onto the system by adding this driver at the same time, two three-year-old vulnerabilities that extended the privileges of the attacker to the maximum possible.
SteelFox is a malware package that has been designed to mine cryptocurrency and steal credit card details via SYSTEM privileges by taking advantage of the "bring your own vulnerable driver" attack method.
In forums and torrent trackers, malware bundle droppers appear as crack tools. These tools act as crack tools that activate legitimate versions of various software, such as Foxit PDF Editor, JetBrains, and AutoCAD.
To evade detection and evade detection, state-sponsored threat actors and ransomware groups are known to exploit vulnerable drivers to escalate privileges. As of late, however, this method seems to be extended to attack against information-stealing malware as well.
According to Kaspersky researchers, the SteelFox campaign was discovered in August of this year, but they add that the malware has been active since February 2023 and has been distributed through various channels (such as torrents, blogs and forum posts) in the past few weeks.
The Rhadamanthys data theft malware has been available for download for some time, but since July 2024 the virus' version has been updated with copyright-related themes in an ongoing phishing campaign.
There is a large-scale cybercrime campaign being tracked by the checkpoint group under the name CopyRightAdamantys. In addition to targeting the U.S., Europe, East Asia, and South America, the organization targets other regions as well.
The campaign tries to impersonate dozens of companies, while each email is sent from a different Gmail account, providing a tailored impersonation of the target company as well as a tailored language based on the targeted entity, according to a technical analysis provided by the company. In the case of impersonated companies, there is almost 70% of them from the entertainment/media/technology/software sector."
There is an element that stands out about the attacks: the deployment of the Rhadamanthys stealer version 0.7, which, as described by Insikt Group, Recorded Future's security division, early last month, is utilized to carry out optical character recognition.
Cisco Talos, an Israeli company that specializes in cyber security, disclosed last week that it had been targeting users of Facebook business and advertising accounts in Taiwan by delivering malware known as Lumma or Rhadamanthys, which is designed to steal information.
There are three components inside the RAR archive. A legitimate executable vulnerable to DLL side-loading, a malicious DLL containing the stealer payload, and a decoy document containing the stealer payload. After the binary has been executed, it will sideload the DLL file that will create the environment that will allow Rhadamanthys to be deployed.
It is likely that the threat actors were using artificial intelligence tools to spread the malware, based on both the scale of the campaign and the variety of lures that were included in the campaign and the emails sent by the sender, which Check Point attributed to a possible cybercrime group.
It seems likely that this campaign was orchestrated by a financially motivated cybercrime group and not a nation-state actor, particularly given the large number of organizations across multiple regions targeted in this campaign," he continued.
In addition to its global reach, the use of automated phishing tactics, and the use of a variety of lures, this campaign demonstrates how attackers continue to enhance their success rates."
As part of these findings, Kaspersky also revealed a full-featured crimeware bundle dubbed SteelFox, which has been spreading via forums posts, torrent trackers, and blogs, passing itself off as legitimate utilities like Foxit PDF Editor, JetBrains, and AutoCAD in order to steal personal information.
In the last two years, the campaign of terrorism has claimed victims in nearly 50 countries. The majority of the victims were in Brazil, China, Russia, Mexico, the United Arab Emirates, Egypt, Algeria, Vietnam, India, and Sri Lanka, with many more in Brazil, China, Russia, and Mexico.
At this point in time, there is no known threat actor or group associated with this attack.
A security researcher, Kirill Korchemny, said: "Delivered via sophisticated execution chains, notably shellcode, this type of malware abuses both Windows services and drivers in an attempt to accomplish its objectives." As a result of it, he said that he used stealer malware to obtain details about the victim's device as well as his credit card information.
A dropper program is the starting point of this setup, in the sense that it mimics cracked versions of popular software, so when it is run, the dropper application will request administrator permissions and drop a next-stage loader which, in turn, will establish persistence and launch the SteelFox module.
It is Kaspersky's opinion that although SteelFox's C2 domain is hardcoded, it has managed to conceal its presence through the use of multiple IP addresses and using DNS over HTTPS to resolve its IP addresses in order to hide its presence.
Although SteelFox attacks don't have specific targets, they seem to focus on users of AutoCAD, JetBrains, and Foxit's Adobe PDF Editor app.
In accordance with Kaspersky's visibility information, Kaspersky indicates that the malware is compromising systems in Brazil, China, Russia, Mexico, the UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka among others.
Researchers have identified a new and potent cyber threat: the SteelFox malware, a sophisticated crimeware bundle targeting Windows PCs through vulnerable drivers. This malware, still relatively new to the landscape, demonstrates advanced functionality and appears to be the product of a skilled C++ developer who has integrated multiple external libraries to enhance its capabilities.
In a related development, analysts from FortiGuard Labs have reported the discovery of another malicious software framework named Winos4.0. This advanced framework, embedded in game-related applications, is engineered specifically to target Windows users. Originating as an evolved version of the Gh0strat malware, Winos4.0 enables attackers to remotely execute various actions, providing them with substantial control over compromised systems.
The infection process for Winos4.0 is particularly deceptive.
It spreads through game-related applications, such as installation utilities and performance enhancement tools, designed to appeal to gamers and other Windows users. Once an individual downloads and installs one of these compromised applications, a seemingly harmless BMP file is retrieved from a remote server. This file subsequently extracts and activates the Winos4.0 DLL file, initiating the malware’s operations.
In its initial phase, Winos4.0 sets up an environment for deploying further modules and establishes persistence on the infected machine by modifying system registry keys or creating scheduled tasks. Through this multi-stage infection process, Winos4.0 builds a durable foothold on affected devices, opening avenues for continuous exploitation and control.