Botnet Turned InfoStealer Aurora Gaining Traction Among Threat Actors

New discovery

• In October and November, multiple chains of infection were observed leading to the execution of Aurora stealer in the wild.
• Seven traffers teams, including RavenLogs, BrazzersLogs, DevilsTraff, YungRussia, Gfbg6, SAKURA, and HellRide are observed distributing the stealer actively.
• Aurora stealer is distributed using phishing pages impersonating download pages of legitimate software, including remote access tools and cryptocurrency wallets.
• The other infection vectors include YouTube videos with fake software and cheat catalog links and SEO-boosted fake software crack download websites.

Aurora stealer: a prevalent infostealer

• It targets data stored in multiple web browsers (cookies, passwords, history, credit cards), cryptocurrency browser extensions managing the cryptocurrency wallets such as Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda, and Jaxx Liberty, and Telegram.
• It bundles all the stolen data of the infected host in a single base64-encoded JSON file and sends it to the C2 through TCP ports 8081 or 9865.
• The author of the malware promises file grabber and loader capabilities. It downloads a new remote payload onto the filesystem and executes the next stage using a PowerShell command.

Aurora’s evolution

• In June, its developers stopped publishing about it; however, a threat actor named Cheshire started selling it as a Malware-as-a-Service (MaaS) in July.
• The MaaS activity was abandoned and Aurora was soon advertised as a stealer instead of a botnet on Telegram and underground forums in late August. In September, the stealer was advertised on an XSS forum by KO7MO.
• It is available for rent for $250 per month or for $1,500 with a lifetime license.

Conclusion