Aurora Stealer Gains Popularity Among Hackers

By Riley ThompsonTechnology News

Aurora Stealer Gains Traction Among Cybercriminals

Security analysts at Sekoia are warning that the Go-based malware known as Aurora is becoming increasingly popular among cybercriminals. This malware is designed to steal confidential information from browsers and cryptocurrency applications, and it can also extract data directly from disks and download additional payloads onto a victim’s machine.

According to researchers, at least seven active hacking groups are either exclusively using Aurora or combining it with other well-known info-stealing malware families like Redline and Raccoon.

Why Aurora Is Gaining Popularity

The rapid rise in Aurora’s popularity appears to be due to its low detection rates. Additionally, the malware offers criminals advanced data theft features and, reportedly, both infrastructural and functional stability. Aurora is available for rent at $250 per month or can be purchased for a lifetime license at $1,500.

Aurora was first announced in April 2022 on Russian-language hacker forums, where it was advertised as a botnet with unique information-stealing and remote access features. According to KELA, earlier this year the Aurora author even assembled a small team of testers to ensure the “final product” was up to standard.

Evolution and Features of Aurora

By August 2022, Sekoia researchers observed that Aurora was being marketed specifically as an infostealer, indicating that the developers had abandoned the idea of creating a multifunctional tool. The main features of Aurora, as listed in advertisements, include:

  • Polymorphic compilation that does not require a cryptor
  • Server-side data decryption
  • Attacks on 40+ cryptocurrency wallets
  • Automatic processing of seed phrases for MetaMask
  • Operates over TCP sockets
  • Contacts the C&C server only once, during license verification
  • Native, lightweight payload (4.2 MB) with no dependencies required

Researchers note that these features are primarily aimed at stealth, which is Aurora’s main advantage over other popular stealers.

How Aurora Operates

Once inside a system, Aurora executes several commands via WMIC to collect basic information about the host, then takes a screenshot of the desktop and sends all this data to its command-and-control server.

The malware then attempts to steal data stored in browsers (cookies, passwords, history, bank cards), cryptocurrency browser extensions, desktop cryptocurrency wallets, and Telegram. Targeted applications include Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda, and Jaxx Liberty.

All stolen data is combined into a single base64-encoded JSON file and sent to the command-and-control server via TCP ports 8081 or 9865.

Additional Capabilities and Distribution Methods

Experts have not been able to confirm the existence of a working file grabber as advertised by the malware’s author. However, analysts did observe a malware loader that uses net_http_Get to download additional payloads to the file system with a random name, then executes them using PowerShell.

Aurora is currently being distributed to victims through a variety of methods, which is unsurprising given that at least seven different groups are using it. For example, experts have found phishing sites related to cryptocurrency that are promoted via phishing emails and YouTube videos. These sites link to various fake software and cheat catalog sites.

A full list of indicators of compromise and similar sites used to spread Aurora is available on GitHub.

Source

Onion Market — a free P2P exchange on Telegram. We offer XMR, BTC, and USDT.TRC20.

Leave a Reply