Aurora infostealer malware increasingly adopted by cybergangs

Cybercriminals are increasingly turning to a new Go-based information stealer named ‘Aurora’ to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads.

According to cybersecurity firm SEKOIA, at least seven notable cybergangs with significant activity have adopted Aurora exclusively, or along with Redline and Raccoon, two other established information-stealing malware families.

Cybergang boasting use of Aurora along Raccoon - Source: SEKOIA

 

The reason for this sudden rise in Aurora’s popularity is its low detection rates and general unknown status, making its infections less likely to be detected.

Simultaneously, Aurora offers advanced data-stealing features and presumably infrastructural and functional stability.

Aurora history

Aurora was first announced in April 2022 on Russian-speaking forums, advertised as a botnet project with state-of-the-art info-stealing and remote access features.

As KELA reported earlier this year, Aurora’s author was looking to form a small team of testers to ensure the final product is good enough.

However, in late August 2022, SEKOIA noticed that Aurora was advertised as a stealer, so the project abandoned its goal of creating a multi-function tool.

The highlight features listed in the promotional posts are:

• Polymorphic compilation that doesn’t require crypter wrapping
• Server-side data decryption
• Targets over 40 cryptocurrency wallets
• Automatic seed phrase deduction for MetaMask
• Reverse lookup for password collection
• Runs on TCP sockets
• Communicates with C2 only once, during license check
• Fully native small payload (4.2 MB) requiring no dependencies

The above features are geared towards high-level stealthiness, which is the main advantage of Aurora over other popular info-stealers.

The cost to rent the malware was set to $250 per month or $1,500 for a lifetime license.

Stealer analysis

Upon execution, Aurora runs several commands through WMIC to collect basic host information, snaps a desktop image, and sends everything to the C2.

Commands Aurora executes upon launch - Source: SEKOIA

 

Next, the malware targets data stored in multiple browsers (cookies, passwords, history, credit cards), cryptocurrency browser extensions, cryptocurrency wallet desktop apps, and Telegram.

The targeted desktop wallet apps include Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda, and Jaxx Liberty.

All stolen data is bundled in a single base64-encoded JSON file and exfiltrated to the C2 through TCP ports 8081 or 9865.

SEKOIA reports they couldn’t confirm the existence of a working file grabber as the author of the malware promises.

However, the analysts observed Aurora’s malware loader that uses “net_http_Get” to drop a new payload onto the filesystem using a random name and then use PowerShell to execute it.

The payload loader function - Source: SEKOIA

Current distribution

Currently, Aurora is distributed to victims via various channels, which is to be expected considering the involvement of seven distinct operators.

SEKOIA noticed cryptocurrency phishing sites promoted via phishing emails and YouTube videos that link to fake software and cheat catalog sites.

One of the sites used for malware distribution - Source: BleepingComputer

 

For a complete list of the IoCs (indicators of compromise) and sites used for Aurora distribution, check SEKOIA’s GitHub repository.

Source