SteelFox malware is spreading through crack tools for AutoCAD, JetBrains, and Foxit PDF Editor — using a bring-your-own-vulnerable-driver (BYOVD) technique to escalate to NT SYSTEM privileges, then mines Monero while stealing data from 13 browsers including cookies and credit cards. HN44 also covers a large eBay malvertising campaign where scammers exploited Google Ads and eBay’s own developer portal search to display fake customer service phone numbers on a legitimate eBay domain.
Stories Covered
SteelFox: Crack Tool Dropper Escalates to SYSTEM via Vulnerable Driver, Mines Monero and Steals Browser Data
Kaspersky researchers identified SteelFox, a crimeware bundle distributed since at least February 2023 through forums, torrent trackers, and blog posts as crack tools for AutoCAD, JetBrains IDEs, and Foxit PDF Editor. The attack chain requires users to run the installer as administrator — standard practice for software installation — which grants the malicious dropper the access it needs to install a service running winring0.sys, a driver used legitimately by cryptocurrency mining software but vulnerable to CVE-2020-14979 and CVE-2021-41285. SteelFox exploits these driver vulnerabilities to escalate privileges from administrator to NT SYSTEM level — the highest privilege tier on Windows, above even standard admin accounts. SYSTEM-level access gives the malware control over protected files, kernel operations, and security tooling that administrator-level code cannot touch.
From that privileged position, SteelFox deploys two components in parallel. The first is a modified XMRig Monero miner that connects to a mining pool with hard-coded credentials, using SSL pinning and TLS 1.3 to protect C2 communications from interception. The C2 domain is hard-coded but rotates IP addresses via Google Public DNS and DNS-over-HTTPS, obscuring the backend infrastructure. The second component is an infostealer that extracts data from 13 web browsers — including cookies, saved credit cards, browsing history, search history, installed extensions, and system information including RDP connections and SIM card data. Kaspersky blocked SteelFox attacks across targets in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. The malware’s C++ codebase and external library integration indicate a skilled developer.
The BYOVD technique — bringing a legitimate but vulnerable driver onto the target system to use as an escalation path — was previously associated with nation-state APTs and ransomware groups. SteelFox’s use of it in commodity crimeware represents a downmarket shift in technique sophistication. The social engineering angle is also worth noting: crack tools occupy a specific trust niche. A user downloading a crack explicitly wants software that behaves unusually — bypassing license checks, running as admin, modifying system files. That makes them more likely to click through security warnings and run the installer with elevated privileges. The practical advice is straightforward: software cracks are a high-risk initial access vector for exactly this reason, and the cost of a compromised system — stolen credit cards, hijacked sessions, a Monero miner burning CPU — far exceeds the cost of the software being cracked.
eBay Malvertising: Scammers Use Google Ads and eBay’s Own Portal to Fake Customer Service Numbers
Malwarebytes Labs documented a large malvertising campaign targeting eBay customers in the US through fraudulent Google search ads for “eBay phone number” and “eBay customer service.” The most technically clever variant exploited a structural quirk in how Google Ads validates advertiser domains. Google requires that the display URL in an ad match the destination domain. Scammers satisfied this requirement by targeting developer.ebay.com — eBay’s legitimate developer program portal — and constructing a search URL where the query string itself contained a fake customer service phone number. When a victim clicked the ad, they landed on developer.ebay.com (a real eBay domain), with a search interface showing what appeared to be a result for “eBay customer service” and a fraudulent phone number — entirely within eBay’s own infrastructure, displaying eBay’s own logo and branding.
Additional ads in the campaign redirected to fake eBay support pages hosted on cloud providers (including Bitbucket), with replicated eBay branding and prominent phone numbers. The ads were created from at least four different advertiser accounts — some belonging to legitimate entities whose accounts were likely compromised, some created from scratch. Malwarebytes reported the ads to Google. The scam follows the standard tech support fraud playbook: get the victim to call the number, then have a “support agent” claim there’s a problem with the account that requires urgent payment — typically via gift cards. The gift card signal is a reliable indicator of fraud: no legitimate company or government agency requests payment via gift card.
The domain validation trick is worth understanding because it exploits the gap between what a security rule intends to prevent and what it actually prevents. The rule (display URL domain must match destination domain) is designed to prevent ads that say “ebay.com” and go to “evil-site.com.” It does not prevent ads that go to a legitimate eBay URL that has been manipulated to display attacker-controlled content via query parameters. The defense is simple: if you need to contact a company’s support, go directly to their website by typing the URL rather than searching for a phone number. Any customer service number found via a Google search ad carries elevated risk.
Leave a Reply