Threat Research

Fake system update drops Aurora stealer via Invalid Printer loader

Securonix

A malvertising campaign redirects Windows users to a convincing fake system update, delivering a loader that bypasses many AVs and sandboxes to drop Aurora Stealer. The operation uses a “Invalid Printer” loader, patches it to defeat sandbox checks, and exfiltrates credentials via Aurora Stealer while being tracked through a public panel and multiple IOCs. #AuroraStealer #InvalidPrinter #Morphisec #VirusTotal #Threatray #UnpacMe #Amadey

Keypoints

  • Malvertising via popunder ads redirects victims to a full-screen browser-based fake Windows security update.
  • The fake update uses a loader called “Invalid Printer” that initially evades sandbox/AV detection.
  • Researchers patched the loader to bypass GPU/vendor checks, enabling execution in sandboxes.
  • The detected payload is Aurora Stealer, designed to harvest credentials from systems.
  • The operation has measurable reach (tens of thousands of visits; hundreds downloaded in ~49 days) and uses a dedicated panel for stats.
  • Malwarebytes has protections detecting the payload as Spyware.Aurora and blocked the malvertising.
  • IOCs include specific domains, IPs, file hashes, and C2 addresses associated with the campaign and Aurora Stealer.

MITRE Techniques

  • [T1189] Drive-by Compromise – The campaign uses malvertising to redirect users to what looks like a Windows security update. “A threat actor is using malicious ads to redirect users to what looks like a Windows security update.”
  • [T1036] Masquerading – The updater appears as ChromeUpdate.exe and exploits characters/encoding to resemble a legitimate file name. “the file name appears as ChromeUpdate.exe” (translated context).
  • [T1497] Virtualization/Sandbox Evasion – Invalid Printer checks the graphics card vendor ID and bypasses VM/sandbox detections; patched to always pass. “checks on the computer’s graphic card… Virtual machines… will fail to pass the check.”
  • [T1003] Credential Access – Aurora Stealer is used to harvest credentials from systems. “the payload used was the Aurora Stealer, a popular piece of malware that is designed to harvest credentials from systems.”
  • [T1071] Web Protocols – The Aurora Stealer communicates with a command-and-control server (C2) over web protocols. “same command and control server… as one mentioned in Morphisec’s blog.”

Indicators of Compromise

  • [Domain] Fake system update page – activessd.ru, chistauyavoda.ru, and other domains (malvertising gate)
  • [IP] Malvertising gate and C2 – 194.58.112.173, 94.142.138.218:4561
  • [IP] Aurora Stealer C2s – 103.195.103.54:443, 94.142.138.218:4561
  • [File hash] Invalid Printer samples – d29f4ffcc9e2164800dcf5605668bdd4298bcd6e75b58bed9c42196b4225d590, 5a07e02aec263f0c3e3a958f2b3c3d65a55240e5da30bbe77c60dba49d953b2c
  • [File name] ChromeUpdate.exe – (filename used by the loader)
  • [Domain] qqtube.ru – (malvertising gate domain)

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2023/05/fake-system-update-drops-new-highly-evasive-loader

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint