CVE-2020-14979
published 2020-08-11CVE-2020-14979: The WinRing0.sys and WinRing0x64.sys drivers 1.2.0 in EVGA Precision X1 through 1.0.6 allow local users, including low integrity processes, to read and write…
PriorityP278high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.60%
44.5th percentile
The WinRing0.sys and WinRing0x64.sys drivers 1.2.0 in EVGA Precision X1 through 1.0.6 allow local users, including low integrity processes, to read and write to arbitrary memory locations. This allows any user to gain NT AUTHORITY\SYSTEM privileges by mapping \Device\PhysicalMemory into the calling process.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| evga | precision_x1 | <= 1.0.6 | — |
| winring0_project | winring0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on any process mapping \Device\PhysicalMemory — this is the exploitation primitive used by CVE-2020-14979 to achieve NT AUTHORITY\SYSTEM from low-integrity processes. ↗
- →Hunt for foxitcrack.exe on disk or in process telemetry; it is the SteelFox dropper masquerading as a Foxit PDF Editor crack and is the initial delivery vehicle for the CVE-2020-14979-exploiting driver. ↗
- →Monitor outbound DNS resolution for ankjdans[.]xyz, especially via DNS-over-HTTPS to Google Public DNS (8.8.8.8/8.8.4.4), as SteelFox uses DoH to hide C2 domain resolution. ↗
- →Detect the AppInfo service being launched by a non-system process followed by DLL injection — SteelFox loads itself inside AppInfo to prevent removal without NT\SYSTEM privileges. ↗
- →Flag downloads or network connections to github[.]com/cppdev-123 repositories, which are used to host and update the XMRig miner component dropped by SteelFox. ↗
- ·The C2 domain ankjdans[.]xyz uses dynamically rotating IP addresses, so IP-based blocking alone is insufficient; domain-level blocking or DoH inspection is required. ↗
- ·The WinRing0.sys driver is also a legitimate component of XMRig; presence alone may generate false positives in mining environments — correlate with pipe name and privilege escalation behavior. ↗
- ·The XMRig component is periodically updated at the GitHub repository to evade detection of older versions; hash-based detections will require frequent updates. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Securelist
New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency
blogs_securelist·2024-11-06
New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency
Table of Contents
Introduction
Technical Details
Background
Initial infection
SteelFox dropper
SteelFox loader
SteelFox final stage
Victims
Attribution
Conclusions
Indicators of Compromise
Authors
Kirill Korchemny
## Introduction
In August 2024, our team identified a new crimeware bundle, which we named “SteelFox”. Delivered via sophisticated execution chains including shellcoding, this threat abuses Windows services and drivers. It spreads via forums posts, torrent trackers and blogs, imitating popular software like Foxit PDF Editor and AutoCAD. It also uses stealer malware to extract the victim’s credit card data as well as details about the infected device.
This report in a nutshell:
SteelFox is distributed via forum posts and malicious torrents.
It communicates with i
Securelist
SteelFox Trojan imitates popular products to drop stealer and miner malware
blogs_securelist·2024-11-06
SteelFox Trojan imitates popular products to drop stealer and miner malware
Table of Contents
- Introduction
- Technical Details
- Victims
- Attribution
- Conclusions
- Indicators of Compromise
Authors
- Kirill Korchemny
## Introduction
In August 2024, our team identified a new crimeware bundle, which we named “SteelFox”. Delivered via sophisticated execution chains including shellcoding, this threat abuses Windows services and drivers. It spreads via forums posts, torrent trackers and blogs, imitating popular software like Foxit PDF Editor and AutoCAD. It also uses stealer malware to extract the victim’s credit card data as well as details about the infected device.
This report in a nutshell:
- SteelFox is distributed via forum posts and malicious torrents.
- It communicates with its C2 via SSL pinning and TLSv1.3. It utilizes a domain with a dynamically
Bleepingcomputer
New SteelFox malware hijacks Windows PCs using vulnerable driver
blogs_bleepingcomputer·2024-11-06·CVSS 7.8
[HIGH] New SteelFox malware hijacks Windows PCs using vulnerable driver
## New SteelFox malware hijacks Windows PCs using vulnerable driver
## Bill Toulas
A new malicious package called 'SteelFox' mines for cryptocurrency and steals credit card data by using the “bring your own vulnerable driver” technique to get SYSTEM privileges on Windows machines.
The malware bundle dropper is distributed through forums and torrent trackers as a crack tool that activates legitimate versions of various software like Foxit PDF Editor, JetBrains and AutoCAD.
Using a vulnerable driver for privilege escalation is common for state-sponsored threat actors and ransomware groups . However, the technique now appears to extend to info-stealing malware attacks.
Kaspersky researchers discovered the SteelFox campaign in August but say that the malware has been around since February
2020-08-11
Published
Exploited in the wild