SteelFox exploits Foxit PDF Editor and AutoCAD for banking data theft and covert crypto mining

Kaspersky experts uncovered a new and ongoing malicious campaign that exploits popular software, such as Foxit PDF Editor, AutoCAD and JetBrains. The attackers employ stealer malware to capture victims’ credit card information and details about their infected devices, while also operating as a cryptominer and secretly utilizing the power of infected computers to mine cryptocurrency. In just three months, Kaspersky’s technologies have thwarted over 11,000 attack attempts, with the majority of affected users located in Brazil, China, Russia, Mexico, the UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. In August 2024, Kaspersky’s Global Research and Analysis Team (GReAT) uncovered a series of attacks involving a previously unknown bundle of miner and stealer malware, which they dubbed SteelFox. The initial attack vector involves posts on forums and torrent trackers, where the SteelFox dropper is advertised as a way to activate legitimate software products for free. These droppers masquerade as cracks for popular programs such as Foxit PDF Editor, JetBrains, and AutoCAD. While they offer the promised functionality, they also deliver sophisticated malware directly onto users’ computers. The campaign consists of two main components: the stealer module, and a cryptominer. SteelFox gathers extensive information from victims’ computers, including browser data, account credentials, credit card information, and details about installed software and antivirus solutions. It can also capture Wi-Fi passwords, system information, and timezone data. Additionally, the attackers utilize a modified version of XMRig, an open-source miner, to leverage the power of infected devices for cryptocurrency mining, likely targeting Monero. Kaspersky research shows that the campaign has been active since at least February 2023 and continues to pose a threat today. Throughout its operation, while the cybercriminals behind the SteelFox campaign did not significantly change its functionality, they worked to modify its techniques and code to evade detection. “The attackers have gradually diversified their infection vectors, initially targeting Foxit Reader users. Once they confirmed that the malicious campaign was effective, they expanded their reach to include cracks for JetBrains products. Three months later, they began exploiting AutoCAD’s name as well. The campaign remains active, and we anticipate that they may start distributing their malware under the guise of other more popular products,” comments Dmitry Galov, Head of Research Center for Russia and CIS at Kaspersky’s GReAT. SteelFox operates on a large scale, affecting anyone who encounters the compromised software. From August to the end of October, Kaspersky security solutions detected over 11,000 attacks, with the majority of affected users located in Brazil, China, Russia, Mexico, the UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. To minimize risks of falling victims to such malicious campaigns, Kaspersky experts recommend: • Download applications only from official sources; • Regularly update your operating system and installed applications;