Security researchers identified a Go-based malware ‘Aurora Stealer’, which has remained undetected for an extended period of time. Aurora Stealer, a popular
“info-stealing malware, got a great deal of attention after it was advertised on Russian-speaking hacking forums in April 2022.
SaaS cybersecurity platform, Sekoia.io, did an in-depth report on the Malware-as-a-Service (MaaS) distributed via a threat actor known as Cheshire. According to the report, Aurora is a multi-purpose botnet capable of stealing data and gaining remote access to compromised systems.
The researcher found the malware trail via Dark Web forms and collected samples containing several dozen active C2 servers. The threat actors behind the campaigns used several injection methods, including phishing, YouTube comments, and “free software catalog” websites.
Since September 2022, the researchers saw an increase in the number of Aurora samples distributed in the wild and C2 servers, states the report. The threat actors used several fraudulent duplicates of legitimate websites, mainly software, cryptocurrency wallets, or remote access tools. These baits were used to lure victims into downloading the program/service that contains the malware.
According to the report, Aurora ran openly while evading detection for the longest time. The malware targeted “40 cryptocurrency wallets” and several applications and their subsidiaries, like Telegram, in its campaign. The malware was also advertised on Russian-speaking hacking forums, along with its capabilities to inject next-stage payload using a PowerShell command.
The info stealer was designed to steal information from web browsers, bitcoin wallets, and local computers connected via a network. With many capabilities and functions available, the info stealer was sold at high prices on underground hacking forums. The security research team collected a total of 50 samples; out of those, the majority belong to “Cheshire” and “Zelizzard” botnets, and less than a dozen C2 servers associated with Aurora botnets, the report stated.
With a bit of discontinuation within the same period, the researcher concluded that the threat actors behind the info stealer might have abandoned the operation. However, that wasn’t the case. In August 2022, Aurora was again advertised on dark web forums, replacing the previous botnet.
Aurora: A famous info stealer among threat groups
In the report, SEKOIA.IO identified seven popular traffers (threat actors using traffic redirection to take victims on malicious websites and pages to exploit private information) that claimed to be using Aurora as part of their operation.
The majority of these traffers created their team after Aurora was advertised on the hacking forums as the comprehensive info stealer. The report suggested that BrazzzersLogs Team is the latest group that announced the onboarding of Aurora stealer on the Lolz Guru cybercrime forums.
All these recent employment means that Aurora has become one of the most popular stealers among threat actors.