Skip to main content

SteelFox exploits Foxit PDF Editor and AutoCAD for banking data theft and covert crypto mining

November 6, 2024

Kaspersky’s Global Research and Analysis Team has uncovered a new and ongoing malicious campaign that exploits popular software, such as Foxit PDF Editor, AutoCAD and JetBrains. The attackers employ stealer malware to capture victims' credit card information and details about their infected devices, while also operating as a cryptominer and secretly utilizing the power of infected computers to mine cryptocurrency. In just three months, Kaspersky's technologies have thwarted over 11,000 attack attempts, with the majority of affected users located in Brazil, China, Russia, Mexico, the UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka.

In August 2024, Kaspersky’s Global Research and Analysis Team (GReAT) uncovered a series of attacks involving a previously unknown bundle of miner and stealer malware, which they dubbed SteelFox.

The initial attack vector involves posts on forums and torrent trackers, where the SteelFox dropper is advertised as a way to activate legitimate software products for free. These droppers masquerade as cracks for popular programs such as Foxit PDF Editor, JetBrains, and AutoCAD. While they offer the promised functionality, they also deliver sophisticated malware directly onto users' computers.

The campaign consists of two main components: the stealer module, and a cryptominer. SteelFox gathers extensive information from victims' computers, including browser data, account credentials, credit card information, and details about installed software and antivirus solutions. It can also capture Wi-Fi passwords, system information, and timezone data. Additionally, the attackers utilize a modified version of XMRig, an open-source miner, to leverage the power of infected devices for cryptocurrency mining, likely targeting Monero.

GReAT research shows that the campaign has been active since at least February 2023 and continues to pose a threat today. Throughout its operation, while the cybercriminals behind the SteelFox campaign did not significantly change its functionality, they worked to modify its techniques and code to evade detection. “The attackers have gradually diversified their infection vectors, initially targeting Foxit Reader users. Once they confirmed that the malicious campaign was effective, they expanded their reach to include cracks for JetBrains products. Three months later, they began exploiting AutoCAD’s name as well. The campaign remains active, and we anticipate that they may start distributing their malware under the guise of other more popular products,” comments Dmitry Galov, Head of Research Center for Russia and CIS at Kaspersky’s GReAT.

SteelFox operates on a large scale, affecting anyone who encounters the compromised software. From August to the end of October, Kaspersky security solutions detected over 11,000 attacks, with the majority of affected users located in Brazil, China, Russia, Mexico, the UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka.

To minimize risks of falling victims to such malicious campaigns, Kaspersky experts also recommend:

  • Download applications only from official sources.
  • Regularly update your operating system and installed applications.
  • Install a reliable security solution from a developer whose products are validated by independent testing laboratories, such as Kaspersky Premium.

Kaspersky’s products detect this threat as HEUR:Trojan.Win64.SteelFox.gen, Trojan.Win64.SteelFox.*.

Details of the malicious campaign are available on Securelist.com.

About Global Research & Analysis Team

Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware, and underground cyber-criminal trends across the world. Today GReAT consists of 40+ experts working globally – in Europe, Russia, Latin America, Asia, Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.

SteelFox exploits Foxit PDF Editor and AutoCAD for banking data theft and covert crypto mining

Kaspersky’s Global Research and Analysis Team has uncovered a new and ongoing malicious campaign that exploits popular software, such as Foxit PDF Editor, AutoCAD and JetBrains. The attackers employ stealer malware to capture victims' credit card information and details about their infected devices, while also operating as a cryptominer and secretly utilizing the power of infected computers to mine cryptocurrency. In just three months, Kaspersky's technologies have thwarted over 11,000 attack attempts, with the majority of affected users located in Brazil, China, Russia, Mexico, the UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases