Aurora – A Stealer Using Shapeshifting Tactics

Threat Actors Leveraging Popular Applications To Target Users

Threat Actors (TAs) are increasingly using phishing sites to trick victims into stealing sensitive information or downloading malware such as Information stealer, Remote Access Trojans (RATs), and other malware. The links to these phishing pages are often distributed via email, online ads, and other channels. Cyble Research and Intelligence Labs (CRIL) has also been regularly monitoring various phishing campaigns and discussing them. Aurora Stealer is the latest example of this that we have encountered. We have observed it using phishing sites to imitate popular applications to infect the maximum possible number of victims.

Shapeshifting Behavior

Cyble Research and Intelligence Labs (CRIL) initially identified a phishing site, “hxxps[:]//messenger-download[.]top”, that was impersonating a legitimate chat application website on January 16th, 2023.

The next day, January 17th, 2023, the same phishing site was found to be mimicking a legitimate TeamViewer website, showing that the threat actors behind this campaign are actively changing and customizing their phishing websites to target multiple popular applications.

The initial infection occurs when the user clicks on the “Download” button on the phishing website, which then downloads malware named “messenger.exe” and “teamviewer.exe” from the following URLs:

• hxxps[:]//download[.]balint[.]info[.]hu/messenger[.]exe
• hxxps[:]//kodfem[.]hemsida[.]eu/downloads/teamviewer[.]exe

The image below shows the phishing site downloading Aurora stealer with the file name “teamviewer.exe”.

The “messenger.exe” and “teamviewer.exe” files that have been downloaded are actually malicious Aurora Stealer samples, which have been padded with extra zeroes at the end to increase their size to around 260MB. TAs use this method to evade detection by antivirus software, as larger files can be harder for AV to process.

Aurora is a type of malware that aims to steal personal information; it targets data from web browsers, crypto wallets, browser extensions, Telegram, and specific user directories.

After gathering all the necessary information, it saves the data in JSON format, compresses it using GZIP, and converts it into Base64 encoding format before sending it to the Command-and-Control (C&C) server.

We have analyzed and explained the detailed behavior of Aurora in the Technical Analysis section.

Technical Analysis

We have taken the below sample hash for our analysis: (SHA256), fd17b39833ee0fae6cc8549dfa602adff3cf002cd0a0ef8fa63876ec50a74552, which is a 32-bit Golang executable file. The unique build ID of the Go compiled binary is shown below.

Upon executing the malware file, it attempts to identify if the file is running in a WINE environment by checking the wine_get_version()  function via the GetProcAddress() API. Then, the malware file uses Windows Management Instrumentation (WMI) commands to gather system information, including the operating system’s name, the graphics card’s name, and the processor’s name.

• wmic os get Caption
  • Returns the caption or name of the operating system
• wmic path win32_VideoController get name
  • Returns the name of the video controller or graphics card on the computer
• wmic cpu get name
  • Returns the name of the processor

After gathering the system details, the malware proceeds to collect additional information about the system, such as the username, Hardware Identification (HWID), Random-Access Memory (RAM) size, screen resolution, and IP address, as shown below.

After collecting system information, the malware queries the directories of installed browsers on the victim’s machine and searches for specific browser-related files stored in SQLite format 3, including:

• Cookies
• History
• Login Data
• Web Data

Then, the stealer begins to extract information related to crypto wallets by querying and reading files from specific directories. The stealer targets the following crypto wallets:

• “\\AppData\\Roaming\\Armory”
• “\\AppData\\Roaming\\bytecoin”
• “\\AppData\\Roaming\\Exodus”
• “\\AppData\\Roaming\\Ethereum\\keystore”
• “\\AppData\\Roaming\\Electrum\\wallets”
• “\\AppData\\Roaming\\com.liberty.jaxx\\IndexedDB”
• “\\AppData\\Roaming\\Guarda\\Local Storage\\leveldb”
• “\\AppData\\Roaming\\Atomic\\Local Storage\\leveldb”
• “\\AppData\\Roaming\\Zcash\\User Data\\Local State”

In addition to accessing crypto wallets through specific directories, Aurora stealer also steals data from crypto wallet browser extensions. These extensions are hard-coded into the stealer binary, and over 100 extensions have been targeted. Some of the targeted extensions are shown in the image below.

The malware continues its data collection by searching for FTP client software, Telegram, Discord, and Steam applications in the victim’s machine and steals important information from their config and session data files. The malware also grabs specific files from directories like the Desktop and Documents and takes screenshots of the victim’s system.

Finally, the Aurora stealer processes the stolen information by converting it into JSON format, creating a GZIP archive of it, and encoding the GZIP archive in Base64 format for exfiltration. The figure below illustrates the structure of the JSON content that is used by the malware to store the stolen information.

The table below describes the keys of the JSON content.

Type	Type of the stolen data (Browser, Screenshot, files, etc.)
Info { Name BuildID GroupID OS HWID GPU CPU RAM Location Screen IP }	Victims’ device name Build name used by TA GroupID used by TA Operating system version Victims’ machine hardware ID Graphics card information Processor information RAM size Malware file path Victims’ machine screen resolution Victims’ system IP, empty  always
Browser	Browser name (Chrome, brave, edge, etc.)
Cache	Encoded in base64 content of the stolen file
Type_Grab	Target file info (Cookie, Password, etc.)
FileP	Target browser file (Cookies, Login Data, etc.)

Command & Control

Aurora Stealer communicates with the below C&C server IP (port 8081) and sends the stolen information.

• 45[.]15[.]156[.]210:8081

The below figure shows the network communication of the malware’s data exfiltration.

Conclusion

Information stealers are a form of malware that pose a significant threat to corporate networks by allowing unauthorized access. TAs employ various methods to deliver malware to their victims. In this case, we have observed that they are using phishing websites that mimic legitimate messenger sites to deliver Aurora Stealer.

Recently, we have seen a rise in the number of malware samples padded with unnecessary data to increase their size in order to evade detection. This technique was also observed in other stealers, such as RedLine, Vidar, and RecordBreaker.

Cyble Research and Intelligence Labs (CRIL) will continue monitoring the new malware strains and phishing campaigns in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.

Our Recommendations

• The initial infection may happen via phishing websites, so enterprises should use security products to detect phishing websites.
• Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware. 
• Use strong passwords and enforce multi-factor authentication wherever possible.   
• Turn on the automatic software update feature on your computer, mobile, and other connected devices.  
• Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.  
• Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
• Educate employees on protecting themselves from threats like phishing/untrusted URLs.  
• Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
• Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Execution	T1204 T1059 T1047	User Execution Command and Scripting Interpreter Windows Management Instrumentation
Defense Evasion	T1027 T1497	Obfuscated Files or Information Virtualization/Sandbox Evasion
Credential Access	T1003 T1056 T1552	OS Credential Dumping Input Capture Credentials in Registry
Discovery	T1082 T1518 T1083 T1087	System Information Discovery Security Software Discovery File and Directory Discovery Account Discovery
Collection	T1005	Data from Local System
Command and Control	T1071 T1095	Application Layer Protocol Non-Application Layer Protocol

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
b810b7d416251367ef790bc9a8a9830a69760ba5c1b83055e9a0647270629d9c	Sha256	messenger.exe
fd17b39833ee0fae6cc8549dfa602adff3cf002cd0a0ef8fa63876ec50a74552	Sha256	messenger.exe removed zero padding
44b64cb2be0a5e9fd51528f00a308df71ead226c7cf733ed2568ada07c9044a8	Sha256	teamviewer.exe
c7f43e2afe62a622f77f888f56712a41aec56d5a765a95585f69e870359119c9	Sha256	teamviewer.exe removed zero padding
hxxps[:]//messenger-download[.]top	Domain	Phishing site
hxxps[:]//download[.]balint[.]info[.]hu/messenger[.]exe	URL	Malware download URL
hxxps[:]//kodfem[.]hemsida[.]eu/downloads/teamviewer[.]exe	URL	Malware download URL
45[.]15[.]156[.]210:8081	IP: Port	C&C