Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Windows PCs targeted by new malware hitting a vulnerable driver

A padlock icon next to a person working on a laptop.

  • Security researchers observed a new threat campaign dubbed SteelFox
  • It uses fake activators and cracks to deploy a vulnerable driver, an infostealer, and a cryptominer
  • The victims are found all over the world, from Brazil to China

Hackers are targeting Windows systems with malware that mines cryptocurrencies and steals sensitive information from the devices, experts have warned.

A new report from Kaspersky claims to have spotted tens of thousands of infected endpoints already, as the cybercriminals have started advertising fake cracks and activators for different commercial software, such as Foxit PDF Editor, JetBrains, or AutoCAD.

The fake cracks come with a vulnerable driver called WinRing0.sys. By adding this driver to the system, the victim reintroduces CVE-2020-14979 and CVE-2021-41285, three- and four-year-old vulnerabilities that grant the attackers highest possible privileges.

SteelFox

Through these vulnerabilities, the crooks are able to drop XMRig, one of the most popular cryptojackers out there. XMRig uses the victim’s computing power, electricity, and internet, to mine Monero and other cryptocurrencies, but renders the device practically useless for the owner. Crypto-mining aside, the hackers also drop an infostealer that can pull data from 13 web browsers, system information, data about the network it’s connected to, as well as RDP connection.

The browser data the infostealer grabs includes browsing history, session cookies, and credit card information. Although not specifically mentioned, it’s safe to assume the malware also steals information related to cryptocurrency wallet browser addons.

Kaspersky named the campaign “SteelFox” and claims to have observed and blocked SteelFox attacks 11,000 times so far - so we can speculate the number of attacks is a lot, lot higher.

The victims seem to be scattered all over the world, meaning that SteelFox operators are casting a wide net, with the majority of compromised endpoints found in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka.

Malicious cryptocurrency miners have been around for as long as blockchain itself, but with Bitcoin surging in price after the recent US presidential elections, we can probably expect to see more infections in the months to come.

Via BleepingComputer

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.