Jump to content
  • Aurora infostealer malware increasingly adopted by cybergangs

    alf9872000

    • 362 views
    • 3 minutes
     Share


    • 362 views
    • 3 minutes

    Cybercriminals are increasingly turning to a new Go-based information stealer named ‘Aurora’ to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads.

     

    According to cybersecurity firm SEKOIA, at least seven notable cybergangs with significant activity have adopted Aurora exclusively, or along with Redline and Raccoon, two other established information-stealing malware families.

     

    brazzzers-logs.png

    Cybergang boasting use of Aurora along Raccoon - Source: SEKOIA

     

    The reason for this sudden rise in Aurora’s popularity is its low detection rates and general unknown status, making its infections less likely to be detected.

     

    Simultaneously, Aurora offers advanced data-stealing features and presumably infrastructural and functional stability.

    Aurora history

    Aurora was first announced in April 2022 on Russian-speaking forums, advertised as a botnet project with state-of-the-art info-stealing and remote access features.

     

    As KELA reported earlier this year, Aurora’s author was looking to form a small team of testers to ensure the final product is good enough.

     

    However, in late August 2022, SEKOIA noticed that Aurora was advertised as a stealer, so the project abandoned its goal of creating a multi-function tool.

     

    The highlight features listed in the promotional posts are:

    • Polymorphic compilation that doesn’t require crypter wrapping
    • Server-side data decryption
    • Targets over 40 cryptocurrency wallets
    • Automatic seed phrase deduction for MetaMask
    • Reverse lookup for password collection
    • Runs on TCP sockets
    • Communicates with C2 only once, during license check
    • Fully native small payload (4.2 MB) requiring no dependencies

     

    The above features are geared towards high-level stealthiness, which is the main advantage of Aurora over other popular info-stealers.

     

    The cost to rent the malware was set to $250 per month or $1,500 for a lifetime license.

    Stealer analysis

    Upon execution, Aurora runs several commands through WMIC to collect basic host information, snaps a desktop image, and sends everything to the C2.

     

    commands.png

    Commands Aurora executes upon launch - Source: SEKOIA

     

    Next, the malware targets data stored in multiple browsers (cookies, passwords, history, credit cards), cryptocurrency browser extensions, cryptocurrency wallet desktop apps, and Telegram.

     

    The targeted desktop wallet apps include Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda, and Jaxx Liberty.

     

    All stolen data is bundled in a single base64-encoded JSON file and exfiltrated to the C2 through TCP ports 8081 or 9865.

     

    SEKOIA reports they couldn’t confirm the existence of a working file grabber as the author of the malware promises.

     

    However, the analysts observed Aurora’s malware loader that uses “net_http_Get” to drop a new payload onto the filesystem using a random name and then use PowerShell to execute it.

     

    loader.png

    The payload loader function - Source: SEKOIA

    Current distribution

    Currently, Aurora is distributed to victims via various channels, which is to be expected considering the involvement of seven distinct operators.

     

    SEKOIA noticed cryptocurrency phishing sites promoted via phishing emails and YouTube videos that link to fake software and cheat catalog sites.

     

    website(4).png

    One of the sites used for malware distribution - Source: BleepingComputer

     

    For a complete list of the IoCs (indicators of compromise) and sites used for Aurora distribution, check SEKOIA’s GitHub repository.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...