Threat Research

eSentire Threat Intelligence Malware Analysis: Aurora Stealer

Securonix

eSentire’s Threat Response Unit (TRU) has tracked Aurora Stealer infections in the manufacturing sector since December 2022, distributed via fake Google Ads for Notepad++ and other installers. The malware exfiltrates browser data (cookies, autofill, encrypted passwords) with a loader/grabber architecture, evasion tricks, and a monetized botnet ecosystem.
#AuroraStealer #eSentireTRU #InstallLabs

Keypoints

  • The Aurora Stealer development continues with modules such as loader, DDoS, crypto wallet brute-force, HVNC/HRDP/RDP/VNC, and Nmap scanning.
  • Configurations are stored in base64-encoded form and logs are sent to a C2 on port 8081 in a gzip-compressed, base64-encoded JSON format.
  • The stealer includes grabber and loader modules to collect specific files/folders and to download/execute additional payloads or PowerShell commands.
  • Distribution uses Pay-Per-Install (PPI) and traffic services (InstallLabs) via fake installers (Notepad++, TeamViewer, Nvidia Driver) and Google Ads;
  • It harvests cookies, autofill data, and encrypted passwords from Opera, Brave, Chrome, and other browsers, but not Firefox credentials.
  • Avoidance techniques include adding junk bytes to inflate binary size, password-protecting/archiving, and using EV certificates to bypass SmartScreen.

MITRE Techniques

  • [T1592] Gather Victim Host Information – The infection starts with the basic reconnaissance commands spawning from wmic.exe and cmd.exe: “wmic os get Caption – returns the name of the operating system installed on the computer.”
  • [T1189] Drive-by Compromise – Aurora Stealer is delivered via a website hosting a fake software installer: “delivered via a website hosting a fake software installer.”
  • [T1027.001] Binary Padding – The stealer uses file pump features to add null bytes to the payload to evade detection: “the stealer binary is filled with junk bytes to increase the file size.”
  • [T1555.003] Credentials from Web Browsers – Stealer exfiltrates data from browsers including credentials and cookies (and FTP/RDP creds): “stealer steals sensitive data from browsers including credentials, cookies and saved credit cards as well as FTP and RDP credentials.”
  • [T1082] System Information Discovery – The stealer enumerates hardware, location, and screen size: “enumerates the host for hardware and geographical information as well as the screen size.”
  • [T1113] Screen Capture – The stealer captures screenshots: “The stealer takes the screenshot from the infected machine and sends it to the C2.”
  • [T1020] Automated Exfiltration – Gathers data is automatically exfiltrated to the C2: “The stealer automatically exfiltrates the gathered files to C2.”
  • [T1059] Command and Scripting Interpreter – Loader uses PowerShell to execute commands; PowerShell is used to run the downloaded payload: “start-process PowerShell cmdlet” and loader configuration for commands.
  • [T1021.001] Remote Services – Botnet panel supports remote control via hVNC/HRDP/RDP/VNC: “remote in using hVNC/HRDP/RDP/VNC.”

Indicators of Compromise

  • [Hash] Aurora Stealer context – 306fc85ff1c7e06f631c37d60d4ad98b, da1548613d5fa9520931952675f92ca9
  • [Hash] Aurora Stealer context – 16b349b80ef9e6d6a86e768b4e01fc4c, aa349ad45bb48e85b5cd1b55308ae835353859219f28ece9685c8ae552e8e63a
  • [IP] C2 endpoints – 212.87.204.93:8081, 185.106.93.245:8081
  • [IP] C2 endpoints – 185.106.93.135:8081, 195.123.218.52:8081

Read more: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint