Aurora Stealer Is Gaining Popularity among Hackers

The Aurora stealer gaining popularity
Written by William Reddy

Sekoia analysts warn that Aurora, a stealer written in Go, is gaining popularity among attackers. This malware steals confidential information from browsers and cryptocurrency applications, and is also capable of extracting data directly from disks and downloading additional payloads to the victim’s machine.

According to researchers, at least seven active hack groups use Aurora exclusively, or combine this malware with Redline and Raccoon (two other known malware families for stealing information).

Let me remind you that we also wrote that Hackers Used the CovalentStealer Malware to Infiltrate the Network of a Defense Enterprise in the United States, and also that RedLine Stealer Malware Masks as Bots to Buy Binance NFT Mystery Boxes.

Apparently, the reason for the rapid growth in popularity of Aurora was the low detection rates. In addition, the malware offers criminals advanced features for data theft and, presumably, infrastructure and functional stability. The cost of renting the malware is $250 per month or $1,500 for a lifetime license.

The appearance of Aurora was first announced in April 2022 on Russian-speaking hack forums, where the malware was advertised as a botnet with unique features for stealing information and remote access. According to KELA, the author of Aurora even formed a small team of testers earlier this year to make sure the “final product” turned out to be worthy.

Later, in August 2022, Sekoia researchers noticed that Aurora was already being advertised as an infostealer, which means that the authors of the project apparently abandoned the idea of creating a multifunctional tool.

The main features of Aurora listed in the advertisement are the following:

  1. polymorphic compilation that does not require a cryptor;
  2. data decryption on the server side;
  3. attacks on 40+ cryptocurrency wallets;
  4. automatic processing of seed phrases for MetaMask
  5. works on TCP sockets;
  6. refers to the C&C only once, during the license check;
  7. Native and small payload (4.2 MB) requiring no dependencies.

The researchers say the listed features are primarily focused on stealth, which is the Aurora’s main advantage over other popular stealers.

Once in the system, Aurora runs a few commands through WMIC to collect basic information about the host, then takes a screenshot of the desktop and sends it all to the command-and-control server.

The Aurora stealer gaining popularity

After that, the malware tries to steal data stored in browsers (cookies, passwords, history, bank cards), cryptocurrency extensions for browsers, as well as desktop cryptocurrency wallets and Telegram. Target applications include Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda, and Jaxx Liberty.

All stolen data is combined into a single base64-encoded JSON file and transmitted to the command-and-control server via TCP ports 8081 or 9865.

Experts say they have not been able to confirm the existence of a working file grabber advertised by the malware author. However, analysts have noticed a malware downloader that uses net_http_Get to download additional payloads to a randomly named filesystem and then uses PowerShell to execute them.

Currently, Aurora is being distributed among victims in a variety of ways (which is not surprising, given that the malware is used by at least seven different groups). For example, experts have discovered cryptocurrency-related phishing sites advertised with phishing emails and YouTube videos. These sites link to various fake software and cheat catalog sites.

The Aurora stealer gaining popularity

A complete list of indicators of compromise and similar sites through which Aurora is distributed is available on GitHub.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment