CVE-2021-41285
published 2021-10-04CVE-2021-41285: Ballistix MOD Utility through 2.0.2.5 is vulnerable to privilege escalation in the MODAPI.sys driver component. The vulnerability is triggered by sending a…
PriorityP278high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.52%
40.2th percentile
Ballistix MOD Utility through 2.0.2.5 is vulnerable to privilege escalation in the MODAPI.sys driver component. The vulnerability is triggered by sending a specific IOCTL request that allows low-privileged users to directly interact with physical memory via the MmMapIoSpace function call (mapping physical memory into a virtual address space). Attackers could exploit this issue to achieve local privilege escalation to NT AUTHORITY\SYSTEM.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| micron | ballistix_memory_overview_display_utility | <= 2.0.2.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on processes calling MmMapIoSpace via IOCTL to WinRing0.sys, as this is the mechanism used to map physical memory into virtual address space for privilege escalation. ↗
- →Detect DNS-over-HTTPS (DoH) queries to Google Public DNS used to resolve the hardcoded C2 domain, bypassing traditional DNS monitoring. ↗
- →Hunt for processes launching from or registering as the AppInfo service, as SteelFox abuses this service for persistence to require NT\SYSTEM to interact with the loader. ↗
- ·The C2 domain ankjdans[.]xyz uses dynamically rotating IP addresses, so IP-based blocking alone is insufficient; domain-level blocking or DoH inspection is required. ↗
- ·The WinRing0.sys driver is also a legitimate component of the XMRig miner, so its presence alone may generate false positives in mining-related environments; correlate with pipe name and IOCTL activity. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5h78-qw4w-6wq5: Ballistix MOD Utility through 2
ghsa_unreviewed·2022-05-24
CVE-2021-41285 [HIGH] CWE-269 GHSA-5h78-qw4w-6wq5: Ballistix MOD Utility through 2
Ballistix MOD Utility through 2.0.2.5 is vulnerable to privilege escalation in the MODAPI.sys driver component. The vulnerability is triggered by sending a specific IOCTL request that allows low-privileged users to directly interact with physical memory via the MmMapIoSpace function call (mapping physical memory into a virtual address space). Attackers could exploit this issue to achieve local privilege escalation to NT AUTHORITY\SYSTEM.
VulnCheck
Ballistix MOD Utility MODAPI.sys Privilege Escalation Vulnerability
vulncheck·2021·CVSS 7.8
CVE-2021-41285 [HIGH] Ballistix MOD Utility MODAPI.sys Privilege Escalation Vulnerability
Ballistix MOD Utility MODAPI.sys Privilege Escalation Vulnerability
Ballistix MOD Utility through 2.0.2.5 is vulnerable to privilege escalation in the MODAPI.sys driver component. The vulnerability is triggered by sending a specific IOCTL request that allows low-privileged users to directly interact with physical memory via the MmMapIoSpace function call (mapping physical memory into a virtual address space). Attackers could exploit this issue to achieve local privilege escalation to NT AUTHORITY\SYSTEM.
Affected: micron ballistix_memory_overview_display_utility
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://securelist.com/steelfox-trojan-drops-s
No detection rules found.
No public exploits indexed.
Securelist
New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency
blogs_securelist·2024-11-06
New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency
Table of Contents
Introduction
Technical Details
Background
Initial infection
SteelFox dropper
SteelFox loader
SteelFox final stage
Victims
Attribution
Conclusions
Indicators of Compromise
Authors
Kirill Korchemny
## Introduction
In August 2024, our team identified a new crimeware bundle, which we named “SteelFox”. Delivered via sophisticated execution chains including shellcoding, this threat abuses Windows services and drivers. It spreads via forums posts, torrent trackers and blogs, imitating popular software like Foxit PDF Editor and AutoCAD. It also uses stealer malware to extract the victim’s credit card data as well as details about the infected device.
This report in a nutshell:
SteelFox is distributed via forum posts and malicious torrents.
It communicates with i
Securelist
SteelFox Trojan imitates popular products to drop stealer and miner malware
blogs_securelist·2024-11-06
SteelFox Trojan imitates popular products to drop stealer and miner malware
Table of Contents
- Introduction
- Technical Details
- Victims
- Attribution
- Conclusions
- Indicators of Compromise
Authors
- Kirill Korchemny
## Introduction
In August 2024, our team identified a new crimeware bundle, which we named “SteelFox”. Delivered via sophisticated execution chains including shellcoding, this threat abuses Windows services and drivers. It spreads via forums posts, torrent trackers and blogs, imitating popular software like Foxit PDF Editor and AutoCAD. It also uses stealer malware to extract the victim’s credit card data as well as details about the infected device.
This report in a nutshell:
- SteelFox is distributed via forum posts and malicious torrents.
- It communicates with its C2 via SSL pinning and TLSv1.3. It utilizes a domain with a dynamically
Bleepingcomputer
New SteelFox malware hijacks Windows PCs using vulnerable driver
blogs_bleepingcomputer·2024-11-06·CVSS 7.8
[HIGH] New SteelFox malware hijacks Windows PCs using vulnerable driver
## New SteelFox malware hijacks Windows PCs using vulnerable driver
## Bill Toulas
A new malicious package called 'SteelFox' mines for cryptocurrency and steals credit card data by using the “bring your own vulnerable driver” technique to get SYSTEM privileges on Windows machines.
The malware bundle dropper is distributed through forums and torrent trackers as a crack tool that activates legitimate versions of various software like Foxit PDF Editor, JetBrains and AutoCAD.
Using a vulnerable driver for privilege escalation is common for state-sponsored threat actors and ransomware groups . However, the technique now appears to extend to info-stealing malware attacks.
Kaspersky researchers discovered the SteelFox campaign in August but say that the malware has been around since February
https://github.com/VoidSec/Exploit-Development/blob/master/windows/x64/kernel/crucial_Ballistix_MOD_Utility_v.2.0.2.5/crucial_Ballistix_MOD_Utility_v.2.0.2.5_memory_dump_PoC.cpphttps://voidsec.com/crucial-mod-utility-lpe-cve-2021-41285/https://github.com/VoidSec/Exploit-Development/blob/master/windows/x64/kernel/crucial_Ballistix_MOD_Utility_v.2.0.2.5/crucial_Ballistix_MOD_Utility_v.2.0.2.5_memory_dump_PoC.cpphttps://voidsec.com/crucial-mod-utility-lpe-cve-2021-41285/
2021-10-04
Published
Exploited in the wild