web analytics

Infostealers are using BYOVD to steal critical system data – Source: www.csoonline.com

Rate this post

Source: www.csoonline.com – Author:

Kaspersky Labs claims to have blocked over 11k info-stealing attempts that used the BYOVD technique.

Threat actors are dropping a new info-stealer on Windows systems that uses the bring your own vulnerable driver (BYOVD) technique to extract victims’ browser data, software details, and credit card data, along with other system details.

The global cybersecurity company Kaspersky Labs said it observed more than 11,000 attack attempts in the last three months across countries including Russia, China, India, Brazil, and Mexico.

“In August 2024, Kaspersky’s Global Research and Analysis Team (GReAT) uncovered a series of attacks involving a previously unknown bundle of miner and stealer malware, which they dubbed SteelFox,” Kaspersky Labs said in a blog post.

The malware, which was observed to be distributed through forums and torrent trackers, also included a crypto-miming module to additionally exploit the infected systems’ computing resources.

According to Kaspersky, the forum posts carrying the SteelFox dropper advertise it as a free activation crack for legitimate software products, such as Fox PDF Editor, AutoCAD, and JetBrains.

Elaborating on an instance of the initial attack vector used, Kaspersky said, “The initial stage of the SteelFox campaign is an AMD64 executable under the name foxitcrack.exe with a large .rdata section.”

While the payload included the promised functionality, which itself accounts for piracy, it also delivered “sophisticated” malware directly onto users’ computers.

Because Foxit’s installation directory resides in the “Program Files” folder, Kaspersky noted that FoxitCrack asks for administrator access, which is later used for malicious purposes.

Privilege escalation through vulnerable driver

Somewhere during the legitimate-looking execution chain, malicious files are unpacked, dropping the SteelFox malware onto the victim machine to collect browser details, including cookies, credit card data, browsing history, and software details, including installed software, antivirus solutions, running services, and installed add-ons.

The malware can also collect system info (build, version), network details (WiFi, passwords), and memory process info.

SteelFox payload, upon execution, features codes to use the secured admin rights for creating a Windows service to run WinRingo.sys, a vulnerable driver file that allows privilege escalation to the SYSTEM-level.

The WinRingo.sys driver file, which allows the highest level of access on local systems, is also included within the crypto-mining module that uses the open-source XMRig program.

Using the BYOVD technique for privilege escalation has been typical for nation-state actors and ransomware groups, and is rarely observed with info-stealers. Microsoft is the most BYOVD-affected operating system owning to its slacky vulnerable driver blocklist.

In 2021, however, Microsoft said that drivers with confirmed security vulnerabilities would be blocked by default on Windows 10 devices with Hypervisor-Protected Code Integrity (HVCI) enabled, via blocklists that are automatically updated via Windows Update.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3600750/infostealers-are-using-byovd-to-steal-critical-system-data.html

Category & Tags: Security, Vulnerabilities – Security, Vulnerabilities

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post