Aurora Stealer - Phishing - Infostealer - Cyble blogs

Aurora – A Stealer Using Shapeshifting Tactics

Threat Actors (TAs) are increasingly using phishing sites to trick victims into stealing sensitive information or downloading malware such as Information stealer, Remote Access Trojans (RATs), and other malware. The links to these phishing pages are often distributed via email, online ads, and other channels. Cyble Research and Intelligence Labs (CRIL) has also been regularly monitoring various phishing campaigns and discussing them. Aurora Stealer is the latest example of this that we have encountered. We have observed it using phishing sites to imitate popular applications to infect the maximum possible number of victims.

Shapeshifting Behavior

Cyble Research and Intelligence Labs (CRIL) initially identified a phishing site, “hxxps[:]//messenger-download[.]top”, that was impersonating a legitimate chat application website on January 16th, 2023.

The next day, January 17th, 2023, the same phishing site was found to be mimicking a legitimate TeamViewer website, showing that the threat actors behind this campaign are actively changing and customizing their phishing websites to target multiple popular applications.

The initial infection occurs when the user clicks on the “Download” button on the phishing website, which then downloads malware named “messenger.exe” and “teamviewer.exe” from the following URLs:

  • hxxps[:]//download[.]balint[.]info[.]hu/messenger[.]exe
  • hxxps[:]//kodfem[.]hemsida[.]eu/downloads/teamviewer[.]exe

The image below shows the phishing site downloading Aurora stealer with the file name “teamviewer.exe”.

Figure 1 – Messenger phishing page downloading Aurora stealer as teamviewer.exe

The “messenger.exe” and “teamviewer.exe” files that have been downloaded are actually malicious Aurora Stealer samples, which have been padded with extra zeroes at the end to increase their size to around 260MB. TAs use this method to evade detection by antivirus software, as larger files can be harder for AV to process.

Aurora is a type of malware that aims to steal personal information; it targets data from web browsers, crypto wallets, browser extensions, Telegram, and specific user directories.

After gathering all the necessary information, it saves the data in JSON format, compresses it using GZIP, and converts it into Base64 encoding format before sending it to the Command-and-Control (C&C) server.

We have analyzed and explained the detailed behavior of Aurora in the Technical Analysis section.

Technical Analysis

We have taken the below sample hash for our analysis: (SHA256), fd17b39833ee0fae6cc8549dfa602adff3cf002cd0a0ef8fa63876ec50a74552, which is a 32-bit Golang executable file. The unique build ID of the Go compiled binary is shown below.

Aurora Stealer
Figure 2 – Go build ID

Upon executing the malware file, it attempts to identify if the file is running in a WINE environment by checking the wine_get_version()  function via the GetProcAddress() API. Then, the malware file uses Windows Management Instrumentation (WMI) commands to gather system information, including the operating system’s name, the graphics card’s name, and the processor’s name.

  • wmic os get Caption
    • Returns the caption or name of the operating system
  • wmic path win32_VideoController get name
    • Returns the name of the video controller or graphics card on the computer
  • wmic cpu get name
    • Returns the name of the processor

After gathering the system details, the malware proceeds to collect additional information about the system, such as the username, Hardware Identification (HWID), Random-Access Memory (RAM) size, screen resolution, and IP address, as shown below.

Aurora Stealer
Figure 3 – Collected system information

After collecting system information, the malware queries the directories of installed browsers on the victim’s machine and searches for specific browser-related files stored in SQLite format 3, including:

  • Cookies
  • History
  • Login Data
  • Web Data

Then, the stealer begins to extract information related to crypto wallets by querying and reading files from specific directories. The stealer targets the following crypto wallets:

  • “\\AppData\\Roaming\\Armory”
  • “\\AppData\\Roaming\\bytecoin”
  • “\\AppData\\Roaming\\Exodus”
  • “\\AppData\\Roaming\\Ethereum\\keystore”
  • “\\AppData\\Roaming\\Electrum\\wallets”
  • “\\AppData\\Roaming\\com.liberty.jaxx\\IndexedDB”
  • “\\AppData\\Roaming\\Guarda\\Local Storage\\leveldb”
  • “\\AppData\\Roaming\\Atomic\\Local Storage\\leveldb”
  • “\\AppData\\Roaming\\Zcash\\User Data\\Local State”

In addition to accessing crypto wallets through specific directories, Aurora stealer also steals data from crypto wallet browser extensions. These extensions are hard-coded into the stealer binary, and over 100 extensions have been targeted. Some of the targeted extensions are shown in the image below.

Aurora Stealer
Figure 4 – Targeted Crypto wallets with the extension ID

The malware continues its data collection by searching for FTP client software, Telegram, Discord, and Steam applications in the victim’s machine and steals important information from their config and session data files. The malware also grabs specific files from directories like the Desktop and Documents and takes screenshots of the victim’s system.

Finally, the Aurora stealer processes the stolen information by converting it into JSON format, creating a GZIP archive of it, and encoding the GZIP archive in Base64 format for exfiltration. The figure below illustrates the structure of the JSON content that is used by the malware to store the stolen information.

Aurora Stealer
Figure 5 – JSON format to store stolen data

The table below describes the keys of the JSON content.

TypeType of the stolen data (Browser, Screenshot, files, etc.)
Info { Name BuildID GroupID OS HWID GPU CPU RAM Location Screen IP }    Victims’ device name Build name used by TA GroupID used by TA Operating system version Victims’ machine hardware ID Graphics card information Processor information RAM size Malware file path Victims’ machine screen resolution Victims’ system IP, empty  always
BrowserBrowser name (Chrome, brave, edge, etc.)
CacheEncoded in base64 content of the stolen file
Type_GrabTarget file info (Cookie, Password, etc.)
FilePTarget browser file (Cookies, Login Data, etc.)

Command & Control

Aurora Stealer communicates with the below C&C server IP (port 8081) and sends the stolen information.

  • 45[.]15[.]156[.]210:8081

The below figure shows the network communication of the malware’s data exfiltration.

Figure 6 – Exfiltrated data

Conclusion

Information stealers are a form of malware that pose a significant threat to corporate networks by allowing unauthorized access. TAs employ various methods to deliver malware to their victims. In this case, we have observed that they are using phishing websites that mimic legitimate messenger sites to deliver Aurora Stealer.

Recently, we have seen a rise in the number of malware samples padded with unnecessary data to increase their size in order to evade detection. This technique was also observed in other stealers, such as RedLine, Vidar, and RecordBreaker.

Cyble Research and Intelligence Labs (CRIL) will continue monitoring the new malware strains and phishing campaigns in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.

Our Recommendations

  • The initial infection may happen via phishing websites, so enterprises should use security products to detect phishing websites.
  • Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.   
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.  
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1204
T1059
T1047
User Execution
Command and Scripting Interpreter
Windows Management Instrumentation
Defense EvasionT1027
T1497
Obfuscated Files or Information
Virtualization/Sandbox Evasion
Credential AccessT1003
T1056
T1552
OS Credential Dumping
Input Capture
Credentials in Registry
DiscoveryT1082
T1518
T1083
T1087
System Information Discovery
Security Software Discovery
File and Directory Discovery
Account Discovery
CollectionT1005Data from Local System
Command and ControlT1071
T1095
Application Layer Protocol
Non-Application Layer Protocol

Indicators of Compromise (IOCs)

IndicatorsIndicator
Type
Description
b810b7d416251367ef790bc9a8a9830a69760ba5c1b83055e9a0647270629d9cSha256messenger.exe  
fd17b39833ee0fae6cc8549dfa602adff3cf002cd0a0ef8fa63876ec50a74552Sha256messenger.exe removed zero
padding
44b64cb2be0a5e9fd51528f00a308df71ead226c7cf733ed2568ada07c9044a8Sha256teamviewer.exe
c7f43e2afe62a622f77f888f56712a41aec56d5a765a95585f69e870359119c9Sha256teamviewer.exe
removed zero
padding
hxxps[:]//messenger-download[.]topDomainPhishing site
hxxps[:]//download[.]balint[.]info[.]hu/messenger[.]exeURLMalware download
URL
hxxps[:]//kodfem[.]hemsida[.]eu/downloads/teamviewer[.]exeURLMalware download
URL
45[.]15[.]156[.]210:8081IP: PortC&C

Recent Blogs

BATLoader-RATs-Stealers-OneNote

Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat Actors to deliver several malware families.

Read More »
Qakbot-Microsoft-OneNote

Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.

Read More »
Scroll to Top