Deep Dive: Inside "SteelFox" – The High-Performance C++ Crimeware Bundle Exploiting BYOVD

SteelFox is a sophisticated, modular malware campaign that has been active since early 2023, with a significant surge in activity recorded between August and October 2024. Masquerading as activation tools for popular software suites (Foxit PDF, JetBrains, AutoCAD), SteelFox has compromised over 11,000 endpoints globally.

Unlike typical "script-kiddie" malware, SteelFox is a professionally developed C++ application leveraging advanced libraries (Boost.Asio, wolfSSL), modern encryption standards (TLS 1.3), and a "Bring Your Own Vulnerable Driver" (BYOVD) technique to achieve NT\SYSTEM privileges. This report details the infection chain, the exploitation of the WinRing0.sys driver, and the dual-payload capability comprising information theft and cryptomining.

Distribution and Infection Vector

The campaign relies on mass-distribution rather than spear-phishing. The threat actors exploit the demand for pirated software, distributing the malware via:

• Torrent Trackers (Russian and Chinese focused)

• Community Forums

• Blogs hosting "Warez"

The Lure

The malware is packaged as a "crack" or "activator" for high-value commercial software. Confirmed lures include:

• Foxit PDF Editor

• JetBrains IDEs (IntelliJ IDEA, WebStorm)

• AutoCAD

Social Engineering & Execution

When the victim executes the dropper (e.g., foxitcrack.exe), the malware performs two simultaneous actions:

1. Legitimate Activation: It actually patches the targeted software, functioning as promised. This effectively pacifies the user and reduces suspicion.

2. Malicious Installation: It requests Administrative privileges—ostensibly to patch files in C:\Program Files—which it then uses to initiate the infection chain.

Technical Analysis: The Dropper & Loader

The initial stage is an AMD64 PE executable characterized by high entropy in its .rdata section, indicating packed or encrypted content.

Payload Decryption

The loader employs robust cryptography to unpack its payload:

• Algorithm: AES-128 with Cipher Block Chaining (CBC).

• Optimization: Newer variants utilize the AES-NI instruction set, indicating the developers are optimizing for performance and hardware acceleration.

• Obfuscation: The binary includes "junk" data and manipulated linker timestamps (ranging from May to December 2022) to alter the file hash and evade static signature detection.

Persistence Mechanism

Upon decryption, the payload moves to a directory masquerading as legitimate software components. Common paths include:

• C:\Program Files\Foxit Software\Foxit PDF Editor\plugins\FoxitPDFEditorUpdateService.exe

• C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe

• C:\Program Files\Autodesk\AdODIS\V1\Setup\lpsad.exe

The malware then registers itself as a Windows Service. It utilizes the StartServiceCtrlDispatcherW API to handle service control signals (stop, shutdown), ensuring it starts automatically with the OS.

Privilege Escalation: The BYOVD Technique

The most critical component of SteelFox is its ability to gain Kernel-level access using the Bring Your Own Vulnerable Driver (BYOVD) technique.

The Vulnerability

SteelFox drops and installs WinRing0.sys, a legitimate driver historically used for hardware monitoring (e.g., in tools like open hardware monitor). This driver is signed with a valid certificate but contains critical vulnerabilities (CVE-2020-14979 and CVE-2021-41285).

The Exploit Chain

1. Service Creation: The malware creates a service for WinRing0.sys.

2. Communication: It opens a handle to the driver via the device link \.\WinRing0_1_2_0.

3. Kernel Access: Because WinRing0.sys allows user-mode applications to read/write to physical memory (MSRs) without proper validation, SteelFox exploits this to execute code with Ring 0 (Kernel) privileges.

Impact:

• Bypasses User Account Control (UAC).

• Evades Driver Signature Enforcement (DSE).

• Gains the ability to terminate Endpoint Protection (AV/EDR) processes at the kernel level.

Note: As of 2025, Microsoft Defender's "Vulnerable Driver Blocklist" flags this as VulnerableDriver:WinNT/Winring0, but systems without this feature enabled remain vulnerable.

Network Communication & Evasion

SteelFox stands out due to its use of high-level C++ libraries for networking, specifically Boost.Asio for asynchronous I/O and wolfSSL for encryption.

Command & Control (C2) Architecture

• Protocol: All traffic is encrypted using TLS v1.3, ensuring privacy and integrity.

• SSL Pinning: The malware uses SSL pinning to hardcode the expected server certificate. This renders local Man-in-the-Middle (MitM) inspection—a common technique used by security researchers and enterprise firewalls—ineffective.

• Infrastructure: C2 domains (e.g., ankjdans[.]xyz) are resolved using DNS over HTTPS (DoH) via Google Public DNS. This hides DNS lookups from local logs and ISP filters.

Payloads: The Crimeware Bundle

Once established, SteelFox deploys two primary modules.

A. The Info Stealer

This module targets browser data stored in local SQLite databases. It supports 13+ browsers, including Chrome, Edge, Firefox, Brave, and Opera.

Data Exfiltrated:

• Financial: Credit card data saved in autofill.

• Identity: Cookies (session hijacking), browsing history, and saved credentials.

• System: RDP session details, Wi-Fi profiles (SSIDs and passwords), and network interface maps.

• Environment: List of installed security software and system build versions.

B. The Cryptominer (XMRig)

The malware deploys a modified version of the open-source XMRig miner to harvest Monero (XMR).

• Deployment: The miner executable is often downloaded from a GitHub repository (e.g., github.com/cppdev-123) or embedded in the payload.

• Stealth: It injects junk code to disrupt signature matching.

• Execution: It leverages the WinRing0.sys driver to initialize, ensuring it runs with maximum priority and hardware access.

Global Impact and Statistics

According to telemetry from major security vendors (Kaspersky, et al.), the campaign has a global footprint with specific concentrations in regions with high piracy rates.

Top Affected Countries:

1. Brazil

2. China

3. Russia

4. Mexico

5. UAE / Egypt / Algeria

Total Victims: >11,000 confirmed unique infections (as of Oct 2024).

Indicators of Compromise (IoC)

Security Operations Centers (SOCs) should utilize the following indicators for detection and hunting.

File Hashes (MD5)

Network Artifacts

• Domain: ankjdans[.]xyz

• IP Address: 205.185.115.5

• URL Pattern: hxxps://www.cloudstaymoon[.]com/2024/05/06/tools-1

File System Paths

• %ProgramFiles%\Foxit Software\Foxit PDF Editor\plugins\FoxitPDFEditorUpdateService.exe

• %ProgramFiles(x86)%\Common Files\Adobe\AdobeGCClient\AGSService.exe

• %ProgramFiles%\Autodesk\AdODIS\V1\Setup\lpsad.exe

Mitigation and Response

The sophistication of SteelFox requires a layered defense strategy.

1. Enforce Vulnerable Driver Blocklist: Administrators must enable the Microsoft Vulnerable Driver Blocklist in Windows Defender or via Group Policy (HVCI) to prevent the loading of WinRing0.sys.

2. Behavioral Monitoring (EDR): Signature-based detection is insufficient due to frequent recompilation. EDR rules should flag:

   • Non-system processes attempting to access \.\WinRing0.

   • DNS over HTTPS traffic to non-corporate DoH providers.

   • Unexpected service creation in Program Files.

3. Network Inspection: While SSL pinning complicates inspection, traffic analysis can identify connections to known C2 IPs and unusual data volume (indicative of exfiltration).

4. Policy Enforcement: Restrict the ability of users to download and install unsigned software or tools from torrent trackers.

References

• SteelFox Trojan spreads via forums disguised as Foxit, AutoCad. https://candid.technology/steelfox-trojan-disguised-foxit-pdf-editor-autocad/

• Attacks with novel SteelFox trojan hit Windows machines. https://www.scworld.com/brief/attacks-with-novel-steelfox-trojan-hit-windows-machines

• 'SteelFox' Malware Blitz Infects 11K Victims - darkreading.com. https://www.darkreading.com/cloud-security/steelfox-malware-blitz-infects-11k

• Kaspersky: 11.000 Angriffe mit Trojaner SteelFox. https://www.connect-professional.de/security/kaspersky-11-000-angriffe-mit-trojaner-steelfox-331847.html

• GitHub - jkivilin/camellia-simd-aesni: Camellia cipher SIMD vector .... https://github.com/jkivilin/camellia-simd-aesni

• NVD - CVE-2020-14979. https://nvd.nist.gov/vuln/detail/CVE-2020-14979

• Microsoft Defender Antivirus alert - VulnerableDriver:WinNT/Winring0. https://support.microsoft.com/en-us/windows/microsoft-defender-antivirus-alert-vulnerabledriver-winnt-winring0-eb057830-d77b-41a2-9a34-015a5d203c42

• Understanding Microsoft Defender's VulnerableDriver WinRing0 Alert and .... https://windowsforum.com/threads/understanding-microsoft-defenders-vulnerabledriver-winring0-alert-and-how-to-respond.373544/

• Understanding BYOVD Attacks and Mitigation Strategies. https://www.halcyon.ai/blog/understanding-byovd-attacks-and-mitigation-strategies

• How to remove SteelFox Trojan - BugsFighter. https://www.bugsfighter.com/remove-steelfox-trojan/

• The Hidden Risks of Using Cracked Software: Why Legal Licenses Matter. https://www.alltechbuzz.net/the-hidden-risks-of-using-cracked-software-why-legal-licenses-matter/

• What Risks Can Downloading Cracked Programs Impose?. https://www.secureitworld.com/blog/what-risks-can-downloading-cracked-programs-impose/