Threat Research

Aurora: a rising stealer flying under the radar

Securonix

Aurora began as a Golang MaaS botnet advertised by Cheshire and Zelizzard, and evolved into an infostealer adopted by multiple traffers, with activity that later slowed and then resurged in different forms. Sekoia.io’s analysis shows multifaceted data collection, C2 exfiltration, and loader capabilities, distributed via several infection chains including phishing and fake software catalogs. Hashtags: #Aurora #Cheshire #Zelizzard #Raccoon #ExodusWallet

Keypoints

  • Aurora started as a Golang botnet (MaaS) advertised in April 2022, associated with threat actor handle Cheshire; around 50 samples were observed in July 2022 with limited C2 activity at the time.
  • By August 2022, Aurora was advertised as a stealer, with multiple traffers teams adding it to their arsenals (e.g., BrazzzersLogs, DevilsTraff, RavenLogs, YungRussia).
  • In October–November 2022, hundreds of samples and dozens of C2 servers supported the assessment that Aurora stealer would become prevalent, spread through several infection chains.
  • Infection chains include phishing pages impersonating legitimate software (e.g., Exodus Wallet) and a “911” chain using YouTube videos and fake free software catalogs to lure victims.
  • Data collected includes fingerprint data, browser/extension data (including cryptocurrency wallets), and a file grabber that searches directories for files of interest, followed by exfiltration to a JSON-formatted C2 channel.
  • Aurora communicates with its C2 over TCP on ports 8081 and 9865 (8081 is the most common), and exfiltrates data in JSON format; it also uses non-standard ports as part of its C2 technique.
  • Loader functionality downloads a remote payload via net/http, saves it to a temp path, and executes it via PowerShell; the stealer’s exfiltration is followed by loading the next stage.

MITRE Techniques

  • [T1047] Windows Management Instrumentation – Fingerprint the host by running WMIC commands: “To fingerprint the host, Aurora executes three commands on the infected host: …” – “wmic os get Caption” … “wmic path win32_VideoController get name” … “wmic cpu get name”.
  • [T1082] System Information Discovery – Uses WMIC-based fingerprinting to reveal OS, CPU, GPU details. “To fingerprint the host, Aurora executes three commands on the infected host: …”
  • [T1113] Screen Capture – Takes one screenshot of the infected host. “Like previously analysed stealers, Aurora also takes one screenshot of the infected host.”
  • [T1083] File and Directory Discovery – Gathers a list of directories to search for files of interest. “The grabber configuration is simple, the stealer gathers a list of directories to search for files of interest.”
  • [T1555.003] Credentials from Web Browsers – Data from browsers and cryptocurrency wallet extensions; targeted applications listed in Annex 2. “Data from browsers, extensions and applications.”
  • [T1005] Data from Local System – Collects data from local systems including cryptocurrency wallets, Telegram, and other apps. “To collect information, Aurora targets multiple web browsers, as well as browser extensions including those managing cryptocurrency wallets and applications such as Telegram.”
  • [T1113] Screen Capture – See above; explicitly documented as part of data collection.
  • [T1041] Exfiltration Over C2 Channel – Exfiltrated data are encoded and sent to the C2 in JSON format. “Exfiltrated data are in JSON format.”
  • [T1105] Ingress Tool Transfer – Loader downloads a remote payload via net_http_Get and writes it to disk. “downloads a remote payload using net_http_Get from the built-in library net/http, then the file is written on the disk.”
  • [T1059.001] PowerShell – Loader executes a PowerShell command to start the next stage. “powershell.exe start-process ‘C:UsersAdminAppDataLocalTempoH7P8GCPXQ.exe’.”
  • [T1571] Non-Standard Port – C2 communications on ports 8081 and 9865, highlighting non-standard port usage. “The malware communicates using TCP connection on ports 8081 and 9865 … 8081 being the most widespread open port.”
  • [T1566.001] Phishing – Infection chains rely on phishing sites and deceptive download pages (e.g., Exodus Wallet phishing site) to lure victims. “phishing sites masquerading legitimate ones, YouTube videos and fake ‘free software catalogue’ websites.”
  • [T1012] Query Registry – Discovery of registry-based data as part of fingerprint/data collection described in Annex 2.

Indicators of Compromise

  • [IP Address] Aurora C2 servers – 138.201.92.44:8081, 79.137.195.171:8081, and other addresses listed in the Aurora C2 IPs table (example: 45.15.156.97:8081).
  • [IP Address] Additional C2 endpoints – 146.19.24.118:8081, 167.235.233.95:9865, 45.15.156.22:8081, 45.15.156.33:8081.
  • [Domain] phishing site hosting Exodus Wallet impersonation – mividajugosa[.]com.
  • [URL] YouTube video linked in distribution chain – https://www.youtube.com/watch?v=oy7NPaccBnk.
  • [FileHash] ZIP payload from phishing chain – 2e9dbda19d9c75a82dabac8ffba5ea76689ada81639867c41c395a29aeaba788 (ExodusWeb3.zip).
  • [FileHash] Aurora sample – 47332ce5b904b959aa814ddfde8662931fdfb5233422dc45053ad04cffc44fb4.
  • [FileHash] Next-stage payload – 8e24e96e1e87cf00e27c3a3745414636fbf6e148077c0f6815a2b87bacf85c8d.
  • [FileName] ExodusWeb3.exe – example of the stealer payload downloaded from the ZIP.
  • [FileName] setup.exe – Aurora sample executed in infection chain.
  • [URL] Exodus Web3 ZIP distribution path – hxxps://cdn.discordapp.com/attachments/1037343714319794236/1037352224650690650/Adobe_Photoshop.zip.
  • [URL] Free software catalogue site – hxxps://winsofts[.]cloud/.

Read more: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/