Aurora is an infostealer that first appeared on Russian-language hacker forums in April 2022. Initially, the developer advertised it as a botnet with powerful functionality that allowed hackers to steal information and gain remote access to the victim's systems. However, at the end of August 2022, researchers from SEKOIA noticed that Aurora was being advertised as an infostealer. This suggests one thing - the developer decided to abandon the creation of a multifunctional tool. But the malware still has plenty of special features:
- Polymorphic compilation;
- Data decryption on the server side;
- Ability to work with more than 40 crypto wallets;
- Automatic seed phrase detection for MetaMask;
- Implemented reverse lookup for collecting passwords;
- The malware runs on TCP sockets;
- The connection to C2 occurs only once, during the license check;
- The payload is only 4.2 MB and does not require any dependencies.
According to experts, all these features should make the attacker almost invisible to security systems, which is a huge advantage of Aurora over other popular infostealers. The price of the malware is $250 per month or $1,500 for a lifetime license.
When launched, Aurora executes a few commands via WMIC to collect basic information about the host, takes a screenshot of the desktop, and sends everything to the attackers' C&C server. Then the malware starts looking for data stored in various browsers (cookies, passwords, search history, credit card data), crypto trading extensions, crypto wallet applications (Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda and Jaxx Liberty) and Telegram.
All stolen data is collected into a single JSON file, encoded in base64, and sent to the attackers' C&C server via TCP ports 8081 or 9865.
SEKOIA reports that analysts were unable to find a working file grabber promised by the developer. However, instead, an Aurora dropper was found that uses "net_http_Get" to deliver a payload to the file system under a random name, and then uses a PowerShell command to execute it.
Now Aurora is distributed among the victims mainly through phishing sites, which are promoted by attackers through YouTube videos and phishing mailing lists.
A complete list of indicators of compromise and sites used to distribute Aurora can be found in the SEKOIA GitHub repository.