Science and Tech

SteelFox malicious package for Windows combines ‘ransomware’ with cryptomining techniques

a fox

a fox – PEXELS

Nov. 8 (Portaltic/EP) –

A malware package known as SteelFoxwhich combines crypto mining techniques and theft of victims’ credit data, offered as ‘software’ legitimate such as AutoCAD or JetBrains for Windows and has recorded more than 11,000 attack attempts in just three months.

The Global Research and Analysis Team (GReAT) of the cybersecurity firm Kaspersky has warned of this malicious campaign, active since at least February 2023 and which continues to represent a threat today, as they have stated in a statement.

This group of analysts discovered SteelFox in August 2024 after investigating different attacks involving this package, which is advertised on forums as a ‘dropper’ that allows you to activate legitimate software products for free. While these programs offer the advertised functionality, they can also gain system privileges once installed.

More specifically, this malicious campaign exploits popular programs such as Foxit PDF Editor, AutoCAD and JetBrains to execute ‘ransomware’ on Windows computers, an execution chain that seems legitimate until the moment the files are decompressed, as also reported on the blog Kaspersky.

So, once you get administrator rights, SteelFox creates a service that runs a handler called WinRingO.syswhich can be exploited to obtain different system level privileges (NT/System), that is, those that allow the malicious actor to access any process or resource without restrictions.

In addition to collecting information from the victims’ cards, as well as details about the infected devices and the antivirus solutions they have; The attack implements a second technique by operating as cryptomining ‘malware’. More specifically, cybercriminals use a modified version of the XMRing executable to target cryptocurrencies such as Monero.

Kaspersky researchers have indicated that they have achieved detect and block more than 11,000 attack attempts of this malicious package from August to the end of October. Most of the affected users are located in Brazil, China, Russia, Mexico, United Arab Emirates, Egypt, Algeria, India, Vietnam and Sri Lanka.

To minimize risks, the company has recommended downloading applications only from official sources, periodically updating the operating system and installed applications, and installing a reliable security or antivirus solution.

Source link

About the author

Redaction TLN

Add Comment

Click here to post a comment