Home Malware Programs Trojans Fox Stealer

Fox Stealer

Posted: April 11, 2019

The Fox Stealer is spyware and a variant of Fareit, a threat that specializes in collecting FTP services' login credentials. Since the Fox Stealer passes passwords and other information over to threat actors without your consent, victims should disable their network connections immediately and incorporate re-securing their accounts into any disinfection strategies. Traditional anti-malware products should have no issues with deleting a Fox Stealer installation or, ideally, preventing it.

Ponies Getting a Little Foxy

A 2016 update to Fareit, AKA Pony spyware, is getting a fresh deployment in 2019. This campaign may surprise those who remember the arrest of the criminals who were selling the first version of the update, Fox Stealer or Ponyforx, by Russian authorities. The new campaign that malware researchers are confirming in this year includes exploit kit-based installation attacks and additional, not-yet-analyzed features for its payload.

The new version of the Fox Stealer is renting out to third-party criminals for a fee of two hundred and fifty USD monthly. The only campaign using it that malware analysts are verifying for its live activity is courtesy of the Godzilla or AfraidGate group, which uses the Neutrino Exploit Kit for compromising Web surfers' PCs through software vulnerabilities and dropping different threats, including spyware. Outdated software and indiscriminately-enabled features like JavaScript tend to correlate with successful drive-by-downloads from EKs like this one.

While not all of the Fox Stealer's improvements are available for perusal, nor are the threat actors selling its source code, it keeps all of the old features of Fareit. Accordingly, it's a C++, Windows threat that collects passwords and usernames, especially for FTP clients. Its list of FTP targets includes FileZilla, CoreFTP, FTPShell, CuteFTP, and dozens of others. It can decrypt any encryption-protected credentials, as well, although it offloads this feature to a remote server after transferring the encrypted information.

Going on a Fox Hunt to Stop a Password Robbery

The Fox Stealer is just as much of a problem for unprotected Web surfers as its old versions were in past years. Stopping its current propagation strategy depends on updating your software for correcting vulnerabilities and disabling possible avenues for attack (such as JavaScript that's coming from a corrupted domain). Exposure to the Neutrino Exploit Kit through compromised sites can infect your PC with other threats with less-specialized payloads than the Fox Stealer's, such as file-locker Trojans or other forms of ransomware.

Fox Stealer infections show no symptoms of any visual significance to the victims, whose only clues to the attacks arrive after threat actors begin misusing the stolen login data. Users should disable network connectivity for halting any more theft and change all passwords as soon as possible. Anti-malware technology may remove a Fox Stealer safely but can't re-secure any of your stolen information.

The Fox Stealer's being available in the current year is big news for threat actors wanting to collect information without coding the spyware that does the hard work. Even though its basis of the code is more than a little old, its bite should be as sharp as that of any predator's.