Technical Insight

Published: December 9, 2024

Beware of Pirated or Cracked Software

SteelFox malware has emerged as a new threat targeting Windows PCs through vulnerable drivers, as highlighted by cybersecurity expert Dr. Shekhar Pawar. The malware, distributed through pirated software, mines cryptocurrency, steals credit card data, and exploits system vulnerabilities to gain unauthorized access. It primarily affects users of applications like AutoCAD, JetBrains, and Foxit PDF Editor, and is a reminder of the risks posed by illegal software downloads.

SteelFox is a malicious package

New SteelFox malware hijacks Windows PCs using vulnerable drivers, cautions Dr Shekhar Pawar.

Pirated software is a common vector for Trojan horse malware. Trojans disguise themselves as legitimate software or files, tricking users into downloading and installing them. Once installed, they can perform various malicious activities, such as stealing data, installing additional malware, or giving attackers remote access to your system. One new variant of this type is currently infiltrating numerous computers.

SteelFox is a malicious package that mines for cryptocurrency and steals credit card data using the ‘bring your own vulnerable driver’ technique to gain SYSTEM privileges on Windows machines. The malware is distributed through forums and torrent trackers and activates legitimate versions of software like Foxit PDF Editor, JetBrains, and AutoCAD. Kaspersky researchers discovered the campaign in August and it has been around since February 2023.

Who are ideal targets for SteelFox?

SteelFox attacks do not have specific targets but appear to focus on users of AutoCAD, JetBrains, and Foxit PDF Editor. Based on Kaspersky's visibility, the malware compromises systems in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka.

How does it work?

According to Kaspersky, malicious posts that advertise the SteelFox malware dropper include comprehensive instructions on how to activate the program illegally. According to the researchers, users infect their systems with malware even though the dropper does have the promised functionality.

Adding the crack necessitates administrator access, which the malware uses later in the attack because the software that is being illegally activated is usually installed in the Program Files.

As per researchers at Kaspersky, ‘the execution chain looks legitimate until the moment the files are unpacked’. They clarify that the process introduces a malicious function that affects the machine code that loads SteelFox.

With admin privileges secured, SteelFox launches a service that contains the WinRing0.sys driver, which is susceptible to CVE-2020-14979 and CVE-2021-41285 vulnerabilities and can be used to escalate privileges to the NT/SYSTEM level.

These permissions grant unfettered access to any resource and process and are the most powerful on a local system, surpassing those of an administrator.

Because it is a component of the XMRig program for mining Monero cryptocurrency, the WinRing0.sys driver is also utilised for cryptocurrency mining. According to Kaspersky researchers, the threat actor connects to a mining pool using hardcoded credentials using a modified version of the miner executable.

The malware then uses TLS v1.3 and SSL pinning to connect to its command-and-control (C2) server, preventing communication from being intercepted.

Additionally, it turns on the info-stealer component, which gathers information about the system, network, and RDP connection from 13 web browsers.

The researchers point out that SteelFox gathers information from browsers, including cookies, browsing history, and credit card information.

According to Kaspersky, the threat actor is able to conceal SteelFox's hardcoded C2 domain by changing its IP addresses and resolving them using Google Public DNS and DNS over HTTPS (DoH).

Researchers say ‘It is a full-featured crimeware bundle’, despite SteelFox's recent inception. The malware's analysis reveals that its creator is proficient in C++ programming and was able to integrate external libraries to create a powerful piece of malware.

To protect the computers from SteelFox malware, organisations as well as individuals should follow below recommendations:

1. Download from Official Sources (Avoid Pirated Software): Always download software from official or trusted sources. Pirated software is a common vector for malware.

2. Use Reliable Security Software: Install reputable antivirus and anti-malware software. Ensure it is always up to date and set to automatically scan new files.

3. Keep Your System Updated: Regularly update your operating system and all installed applications. Software updates often include security patches that can protect against vulnerabilities exploited by malware.

4. Enable Firewall Protection: Use a firewall to block unauthorised access to your computer. This can help prevent malware from communicating with its control servers.

5. Be Cautious with Email Attachments and Links: Do not open email attachments or click on links from unknown or untrusted sources. Phishing emails are a common method for spreading malware.

6. Regular Backups: Regularly backup your important data to an external drive or cloud storage. This ensures you can recover your data if your system is compromised.

7. Implement Better Cybersecurity Posture: It is highly recommended to adopt existing cybersecurity standards or frameworks to protect its critical assets, including information. For example, according to the need, ISO 27001, NIST, or even the BDSLCCI framework for MSME can help.

Pirated Software

It is important to note that pirated software is not legal. Using, copying, or distributing software without proper authorisation is considered software piracy, which is a violation of copyright laws. This can lead to severe legal consequences, including hefty fines and even imprisonment.

Using pirated software comes with several significant risks such as:

1. Malware and Viruses: Pirated software often contains malware, viruses, and other malicious code that can compromise your computer's security. This can lead to data theft, identity theft, and unauthorised access to your personal information.

2. Lack of Updates and Support: Legitimate software providers regularly release updates and patches to fix bugs and security vulnerabilities. Pirated software does not receive these updates, leaving your system exposed to new threats

3. Legal Consequences: Using pirated software is illegal and can result in severe penalties, including fines and imprisonment. It also violates copyright laws, which can lead to legal action against you.

4. Performance Issues: Pirated software may not function correctly and can cause your system to crash or malfunction. This can lead to data loss and significant downtime while you try to fix the issues.

5. Financial Losses: While pirated software might seem like a cost-saving option initially, the potential costs of dealing with malware infections, legal fees, and system repairs can far outweigh the savings.

6. Penalties if caught: The penalties for using pirated software can be quite severe and vary depending on the jurisdiction and the specifics of the case. Below are some potential consequences to be noted.

·         Fines: Individuals caught using pirated software can face substantial fines. In the United States, for example, fines can reach up to $150,000 per instance of copyright infringement.

·         Imprisonment: In some cases, individuals may face jail time. First-time offenders in the US can be sentenced to up to five years in prison.

·         Civil Lawsuits: Software companies can file civil lawsuits against individuals or organisations using pirated software, which can result in additional financial penalties and legal fees.

·         Reputational Damage: Being caught using pirated software can damage an individual’s or a company’s reputation, leading to loss of trust and potential business opportunities.

·         Business Penalties: Companies found using pirated software can face even harsher penalties, including fines up to $1 million.

It's always best to use legitimate software to ensure your system's security and stability, and to support the developers who create these valuable tools.                               

Dr Shekhar Pawar is a DBA in the cybersecurity domain at SSBM, Switzerland. He has completed his executive management degree from SJMSOM, IIT Bombay, and engineering in electronics and telecommunications from Mumbai University. Some of his skills and certifications include Certified Information Systems Auditor (CISA), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), ISO 27001 – Lead Auditor, PCI DSS Implementer; Certified HIPAA Compliance Professional, Sarbanes Oxley (SOX) Certified Professional; Diploma in Cyber Laws, Microsoft Certified Professional (MCP), Certified Blockchain Developer, Certified ATM for CMMi Assessment, DSP & Applications – IIT Madras, and Diploma in Industrial Electronics. He is also the author of the nonfiction book ‘Air Team Theory: Understanding 10 Types of Teammates and Best Practices to Succeed’. Currently he is working as Founder and CEO of SecureClaw Inc., USA, and GrassDew IT Solutions Pvt Ltd, Mumbai.  

_____________________________________________________________________________________________

For a deeper dive into the dynamic world of Industrial Automation and Robotic Process Automation (RPA), explore our comprehensive collection of articles and news covering cutting-edge technologies, roboticsPLC programmingSCADA systems, and the latest advancements in the Industrial Automation realm. Uncover valuable insights and stay abreast of industry trends by delving into the rest of our articles on Industrial Automation and RPA at www.industrialautomationindia.in

Industrial Automation Editorial

Industrial Automation Technical Panel

Our technical panel consists of leading automation consultants, engineers, and manufacturing strategists ensuring high-quality industrial insights.