Skip links

Aurora infostealer malware increasingly adopted by cybergangs



Cybercriminals are increasingly turning to a new Go-based information stealer named ‘Aurora’ to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads.

According to cybersecurity firm SEKOIA, at least seven notable cybergangs with significant activity have adopted Aurora exclusively, or along with Redline and Raccoon, two other established information-stealing malware families.

Cybergang boasting use of Aurora along Raccoon
Source: SEKOIA

The reason for this sudden rise in Aurora’s popularity is its low detection rates and general unknown status, making its infections less likely to be detected.

Simultaneously, Aurora offers advanced data-stealing features and presumably infrastructural and functional stability.

Aurora history

Aurora was first announced in April 2022 on Russian-speaking forums, advertised as a botnet project with state-of-the-art info-stealing and remote access features.

As KELA reported earlier this year, Aurora’s author was looking to form a small team of testers to ensure the final product is good enough.

However, in late August 2022, SEKOIA noticed that Aurora was advertised as a stealer, so the project abandoned its goal of creating a multi-function tool.

The highlight features listed in the promotional posts are:

Polymorphic compilation that doesn’t require crypter wrapping
Server-side data decryption
Targets over 40 cryptocurrency wallets
Automatic seed phrase deduction for MetaMask
Reverse lookup for password collection
Runs on TCP sockets
Communicates with C2 only once, during license check
Fully native small payload (4.2 MB) requiring no dependencies

The above features are geared towards high-level stealthiness, which is the main advantage of Aurora over other popular info-stealers.

The cost to rent the malware was set to $250 per month or $1,500 for a lifetime license.

Stealer analysis

Upon execution, Aurora runs several commands through WMIC to collect basic host information, snaps a desktop image, and sends everything to the C2.

Commands Aurora executes upon launch
Source: SEKOIA

Next, the malware targets data stored in multiple browsers (cookies, passwords, history, credit cards), cryptocurrency browser extensions, cryptocurrency wallet desktop apps, and Telegram.

The targeted desktop wallet apps include Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda, and Jaxx Liberty.

All stolen data is bundled in a single base64-encoded JSON file and exfiltrated to the C2 through TCP ports 8081 or 9865.

SEKOIA reports they couldn’t confirm the existence of a working file grabber as the author of the malware promises.

However, the analysts observed Aurora’s malware loader that uses “net_http_Get” to drop a new payload onto the filesystem using a random name and then use PowerShell to execute it.

The payload loader function
Source: SEKOIA

Current distribution

Currently, Aurora is distributed to victims via various channels, which is to be expected considering the involvement of seven distinct operators.

SEKOIA noticed cryptocurrency phishing sites promoted via phishing emails and YouTube videos that link to fake software and cheat catalog sites.

One of the sites used for malware distribution
Source: BleepingComputer

For a complete list of the IoCs (indicators of compromise) and sites used for Aurora distribution, check SEKOIA’s GitHub repository.

Adblock test (Why?)