Threat advisories

Top Middle East Cyber Threats – November 12th, 2024   

Nov-2024 2 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

SteelFox Trojan Exploits Vulnerabilities and Steals Sensitive Data

A new crimeware sample, SteelFox, was recently discovered, showcasing a sophisticated malware chain that leverages shellcode, exploits Windows services, and abuses drivers to escalate privileges. Distributed through forums, torrent trackers, and blogs, SteelFox masquerades as popular software like Foxit PDF Editor and AutoCAD. It steals sensitive data, including bank card information and system details, while deploying a miner to exploit the victim’s resources.

Key Findings

Distribution Channels: Forums, torrent trackers, and malicious blogs.

Command-and-Control (C2) Communication: Uses secure communication with TLS 1.3 and SSL certificate pinning.

Privilege Escalation: Exploits vulnerabilities (e.g., CVE-2020-14979, CVE-2021-41285) in the WinRing0.sys driver.

Targeted Software: Foxit PDF Editor, AutoCAD, JetBrains products.

Technical Details

1. Infection Chain:
SteelFox is distributed via droppers disguised as legitimate software activators. The dropper appears functional but executes malicious payloads, delivering multi-stage malware.

2. Malware Features:

Dropper: The initial executable decrypts and installs the secondary payload.

Loader: A Windows service persistently runs the malware.

Shellcode: Decrypts and executes final-stage payloads.

Stealer: Extracts browser data (cookies, saved passwords, credit card information), system configurations, and network details.

Miner: A modified XMRig executable that exploits victim resources for cryptocurrency mining.

3. Persistence Mechanisms:

Uses Windows services and AppInfo to evade detection and maintain persistence.

Injects into critical system processes.

4. Communication:
SteelFox communicates with its C2 server via a dynamic IP and DNS over HTTPS, using the Boost.Asio and wolfSSL libraries for secure connections.

SteelFox has been detected in over 11,000 systems globally, with the highest infection rates in multiple countries, including the United Arab Emirates.

RECOMMENDATIONS 

Ensure all systems are patched and updated.

Avoid clicking on or opening untrusted or unknown links, files, or attachments.

Enforce a strong password policy and ensure the use of MFA.

Restrict VPN and RDP usage and monitor for suspicious connections.

Use RBAC and regularly audit privileged accounts.

Monitor your network for abnormal behaviors and IoCs.

Ensure frequent backups are in place.

Educate employees about detecting and reporting phishing or suspicious emails.

Google Releases Security Update Fixing Vulnerabilities in Chrome

Google has published a security update to address multiple vulnerabilities in Chrome browser that are fixed now in Chrome latest version (130.0.6723.116/.117 for Windows, Mac and 130.0.6723.116 for Linux).

The update includes 2 security fixes contributed by external researchers. All of the 2 contributed fixes are described as Use after free and rated as high in severity level.

RECOMMENDATIONS 