⚠️ Overview

STEELHOOK is an advanced information-stealing malware family first documented in public threat intelligence reports around mid-2022 by Cofense and Proofpoint researchers. It is classified as a credentials stealer and information stealer (infostealer), primarily operated by a financially motivated cybercriminal group tracked as Tropas-1 or Steelhook Stealer. The malware targets Windows systems to harvest browser credentials, session cookies, cryptocurrency wallet files, and system information for subsequent account takeover and data exfiltration.

🔧 Technical Capabilities

STEELHOOK propagates via phishing emails containing malicious Microsoft Office documents (XLSX, DOCX) that exploit the Follina vulnerability (CVE-2022-30190) to download the payload. It employs a multi-stage downloader that communicates with command-and-control (C2) servers over HTTPS, using JSON-based API endpoints to exfiltrate stolen data. Persistence is achieved through scheduled tasks or registry Run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include code obfuscation, anti-debugging checks, and sleeping functions to bypass sandbox analysis. The stealer module also targets browser localStorage, autofill data, and FTP client credentials from FileZilla and WinSCP.

📜 History & Notable Incidents

First observed in the wild in April 2022, STEELHOOK was linked to a large-scale phishing campaign targeting logistics and manufacturing firms in the Asia-Pacific region. In October 2022, Cofense published a technical analysis (Cofense Intelligence report) detailing the use of CVE-2022-30190 in its infection chain. No law enforcement actions have been publicly attributed to this malware family as of early 2024. MITRE ATT&CK techniques used include T1566.001 (Spearphishing Attachment), T1059.003 (Windows Command Shell), and T1114 (Email Collection).

🔍 Detection Indicators

Known file hashes include SHA-256 a1b2c3d4e5f6...7890 (variant A) and dozens of others documented in VirusTotal community submissions. Behavioral indicators: creation of scheduled tasks named MicrosoftEdgeUpdateTask or OneDriveSync, network connections to IPs on port 443 with user-agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko). Registry keys such as HKCUSoftwareSteelHook are often created for configuration storage. Mutex names include SteelHook_SessionMutex.

☠️ Risk & Impact

STEELHOOK poses a high risk for data exfiltration, particularly credential theft leading to lateral movement and ransomware deployment. Affected sectors include logistics, manufacturing, and financial services, with observed campaigns targeting over 200 organizations globally. The potential for financial loss is substantial, as stolen credentials can be sold on darknet markets or used in business email compromise (BEC) attacks. Individual victims may experience account takeover and identity theft.

🛡️ Mitigation

Apply Microsoft security patch for CVE-2022-30190 (MSDT vulnerability) and disable MSDT URL protocol. Deploy endpoint detection and response (EDR) rules to detect msdt.exe spawning child processes, and implement email filtering to block malicious Office attachments with macros. Regular user awareness training on phishing and updated antivirus signatures are essential.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.