blog.cyble.com
Open in
urlscan Pro
192.0.78.213
Public Scan
URL:
https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
Submission: On February 14 via api from DE — Scanned from DE
Submission: On February 14 via api from DE — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get" data-hs-cf-bound="true">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get" data-hs-cf-bound="true">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form><form id="jp-carousel-comment-form" data-hs-cf-bound="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
Search for your darkweb exposure
* Home
* About Us
* Products
* Cyble Vision
* AmiBreached
* Cyble Hawk
* The Cyber Express
* Newsroom
* Research Reports
* Careers
* Partner with us
Menu
* Home
* About Us
* Products
* Cyble Vision
* AmiBreached
* Cyble Hawk
* The Cyber Express
* Newsroom
* Research Reports
* Careers
* Partner with us
Request Demo
AURORA – A STEALER USING SHAPESHIFTING TACTICS
* January 18, 2023
THREAT ACTORS LEVERAGING POPULAR APPLICATIONS TO TARGET USERS
Threat Actors (TAs) are increasingly using phishing sites to trick victims into
stealing sensitive information or downloading malware such as Information
stealer, Remote Access Trojans (RATs), and other malware. The links to these
phishing pages are often distributed via email, online ads, and other channels.
Cyble Research and Intelligence Labs (CRIL) has also been regularly monitoring
various phishing campaigns and discussing them. Aurora Stealer is the latest
example of this that we have encountered. We have observed it using phishing
sites to imitate popular applications to infect the maximum possible number of
victims.
SHAPESHIFTING BEHAVIOR
Cyble Research and Intelligence Labs (CRIL) initially identified a phishing
site, “hxxps[:]//messenger-download[.]top”, that was impersonating a legitimate
chat application website on January 16th, 2023.
The next day, January 17th, 2023, the same phishing site was found to be
mimicking a legitimate TeamViewer website, showing that the threat actors behind
this campaign are actively changing and customizing their phishing websites to
target multiple popular applications.
The initial infection occurs when the user clicks on the “Download” button on
the phishing website, which then downloads malware named “messenger.exe” and
“teamviewer.exe” from the following URLs:
* hxxps[:]//download[.]balint[.]info[.]hu/messenger[.]exe
* hxxps[:]//kodfem[.]hemsida[.]eu/downloads/teamviewer[.]exe
The image below shows the phishing site downloading Aurora stealer with the file
name “teamviewer.exe”.
Figure 1 – Messenger phishing page downloading Aurora stealer as teamviewer.exe
The “messenger.exe” and “teamviewer.exe” files that have been downloaded are
actually malicious Aurora Stealer samples, which have been padded with extra
zeroes at the end to increase their size to around 260MB. TAs use this method to
evade detection by antivirus software, as larger files can be harder for AV to
process.
Aurora is a type of malware that aims to steal personal information; it targets
data from web browsers, crypto wallets, browser extensions, Telegram, and
specific user directories.
After gathering all the necessary information, it saves the data in JSON format,
compresses it using GZIP, and converts it into Base64 encoding format before
sending it to the Command-and-Control (C&C) server.
We have analyzed and explained the detailed behavior of Aurora in the Technical
Analysis section.
TECHNICAL ANALYSIS
We have taken the below sample hash for our analysis: (SHA256),
fd17b39833ee0fae6cc8549dfa602adff3cf002cd0a0ef8fa63876ec50a74552, which is a
32-bit Golang executable file. The unique build ID of the Go compiled binary is
shown below.
Figure 2 – Go build ID
Upon executing the malware file, it attempts to identify if the file is running
in a WINE environment by checking the wine_get_version() function via the
GetProcAddress() API. Then, the malware file uses Windows Management
Instrumentation (WMI) commands to gather system information, including the
operating system’s name, the graphics card’s name, and the processor’s name.
* wmic os get Caption
* Returns the caption or name of the operating system
* wmic path win32_VideoController get name
* Returns the name of the video controller or graphics card on the computer
* wmic cpu get name
* Returns the name of the processor
After gathering the system details, the malware proceeds to collect additional
information about the system, such as the username, Hardware Identification
(HWID), Random-Access Memory (RAM) size, screen resolution, and IP address, as
shown below.
Figure 3 – Collected system information
After collecting system information, the malware queries the directories of
installed browsers on the victim’s machine and searches for specific
browser-related files stored in SQLite format 3, including:
* Cookies
* History
* Login Data
* Web Data
Then, the stealer begins to extract information related to crypto wallets by
querying and reading files from specific directories. The stealer targets the
following crypto wallets:
* “\\AppData\\Roaming\\Armory”
* “\\AppData\\Roaming\\bytecoin”
* “\\AppData\\Roaming\\Exodus”
* “\\AppData\\Roaming\\Ethereum\\keystore”
* “\\AppData\\Roaming\\Electrum\\wallets”
* “\\AppData\\Roaming\\com.liberty.jaxx\\IndexedDB”
* “\\AppData\\Roaming\\Guarda\\Local Storage\\leveldb”
* “\\AppData\\Roaming\\Atomic\\Local Storage\\leveldb”
* “\\AppData\\Roaming\\Zcash\\User Data\\Local State”
In addition to accessing crypto wallets through specific directories, Aurora
stealer also steals data from crypto wallet browser extensions. These extensions
are hard-coded into the stealer binary, and over 100 extensions have been
targeted. Some of the targeted extensions are shown in the image below.
Figure 4 – Targeted Crypto wallets with the extension ID
The malware continues its data collection by searching for FTP client software,
Telegram, Discord, and Steam applications in the victim’s machine and steals
important information from their config and session data files. The malware also
grabs specific files from directories like the Desktop and Documents and takes
screenshots of the victim’s system.
Finally, the Aurora stealer processes the stolen information by converting it
into JSON format, creating a GZIP archive of it, and encoding the GZIP archive
in Base64 format for exfiltration. The figure below illustrates the structure of
the JSON content that is used by the malware to store the stolen information.
Figure 5 – JSON format to store stolen data
The table below describes the keys of the JSON content.
TypeType of the stolen data (Browser, Screenshot, files, etc.)Info { Name
BuildID GroupID OS HWID GPU CPU RAM Location Screen IP } Victims’ device name
Build name used by TA GroupID used by TA Operating system version Victims’
machine hardware ID Graphics card information Processor information RAM size
Malware file path Victims’ machine screen resolution Victims’ system IP, empty
alwaysBrowserBrowser name (Chrome, brave, edge, etc.)CacheEncoded in base64
content of the stolen fileType_GrabTarget file info (Cookie, Password,
etc.)FilePTarget browser file (Cookies, Login Data, etc.)
COMMAND & CONTROL
Aurora Stealer communicates with the below C&C server IP (port 8081) and sends
the stolen information.
* 45[.]15[.]156[.]210:8081
The below figure shows the network communication of the malware’s data
exfiltration.
Figure 6 – Exfiltrated data
CONCLUSION
Information stealers are a form of malware that pose a significant threat to
corporate networks by allowing unauthorized access. TAs employ various methods
to deliver malware to their victims. In this case, we have observed that they
are using phishing websites that mimic legitimate messenger sites to deliver
Aurora Stealer.
Recently, we have seen a rise in the number of malware samples padded with
unnecessary data to increase their size in order to evade detection. This
technique was also observed in other stealers, such as RedLine, Vidar, and
RecordBreaker.
Cyble Research and Intelligence Labs (CRIL) will continue monitoring the new
malware strains and phishing campaigns in the wild and update blogs with
actionable intelligence to protect users from such notorious attacks.
OUR RECOMMENDATIONS
* The initial infection may happen via phishing websites, so enterprises should
use security products to detect phishing websites.
* Avoid downloading pirated software from Warez/Torrent websites. The “Hack
Tool” present on sites such as YouTube, Torrent sites, etc., contains such
malware.
* Use strong passwords and enforce multi-factor authentication wherever
possible.
* Turn on the automatic software update feature on your computer, mobile, and
other connected devices.
* Use a reputed antivirus and internet security software package on your
connected devices, including PC, laptop, and mobile.
* Refrain from opening untrusted links and email attachments without first
verifying their authenticity.
* Educate employees on protecting themselves from threats like
phishing/untrusted URLs.
* Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
* Monitor the beacon on the network level to block data exfiltration by malware
or TAs.
MITRE ATT&CK® TECHNIQUES
TacticTechnique IDTechnique NameExecutionT1204
T1059
T1047User Execution
Command and Scripting Interpreter
Windows Management InstrumentationDefense EvasionT1027
T1497Obfuscated Files or Information
Virtualization/Sandbox EvasionCredential AccessT1003
T1056
T1552OS Credential Dumping
Input Capture
Credentials in RegistryDiscoveryT1082
T1518
T1083
T1087System Information Discovery
Security Software Discovery
File and Directory Discovery
Account DiscoveryCollectionT1005Data from Local SystemCommand and ControlT1071
T1095Application Layer Protocol
Non-Application Layer Protocol
INDICATORS OF COMPROMISE (IOCS)
IndicatorsIndicator
TypeDescriptionb810b7d416251367ef790bc9a8a9830a69760ba5c1b83055e9a0647270629d9cSha256messenger.exe
fd17b39833ee0fae6cc8549dfa602adff3cf002cd0a0ef8fa63876ec50a74552Sha256messenger.exe
removed zero
padding44b64cb2be0a5e9fd51528f00a308df71ead226c7cf733ed2568ada07c9044a8Sha256teamviewer.exec7f43e2afe62a622f77f888f56712a41aec56d5a765a95585f69e870359119c9Sha256teamviewer.exe
removed zero
paddinghxxps[:]//messenger-download[.]topDomainPhishing
sitehxxps[:]//download[.]balint[.]info[.]hu/messenger[.]exeURLMalware download
URLhxxps[:]//kodfem[.]hemsida[.]eu/downloads/teamviewer[.]exeURLMalware download
URL45[.]15[.]156[.]210:8081IP: PortC&C
RECENT BLOGS
INCREASE IN FAKE DONATION SCHEMES FOLLOWING MASSIVE EARTHQUAKE IN TURKEY
February 13, 2023
U.S. TELECOMMUNICATIONS COMPANIES TARGETED, CONSUMERS HIT HARDEST
February 10, 2023
THE ROYAL MENACE SPREADS TO LINUX: A DEEP DIVE INTO THIS NEW RANSOMWARE
February 9, 2023
PrevPreviousRansomware Extortion Techniques: A Growing Concern for Organizations
NextGigabud RAT: New Android RAT Masquerading as Government AgenciesNext
February 13, 2023
Cyble investigates the trend of fake donation schemes following the devastating
Kahramanmaras earthquake in Turkey and Syria.
Read More »
February 10, 2023
CRIL investigates underground forums regarding large-scale attacks on US
Telecommunications firms and their impact on their customers.
Read More »
February 9, 2023
Cyble analyzes a sample of Royal ransomware, tailored to specifically target
Linux platforms & ESXi servers.
Read More »
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Offices:
We’re remote-friendly, with office locations around the world:
San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne.
UAE:
Cyble Middle East FZE
Suite 1702, Level 17,
Boulevard Plaza Tower 1,
Sheikh Mohammed Bin Rashid Boulevard,
Downtown Dubai, Dubai, UAE
contact@cyble.com
+971 (4) 4018555
USA :
Cyble, Inc.
11175 Cicero Drive
Suite 100
Alpharetta, GA 30022
contact@cyble.com
+1 678 379 3241
India:
Cyble Infosec India Private Limited
A 602, Rustomjee Central Park, Andheri Kurla Road Chakala,
Andheri (East), Maharashtra
Mumbai-400093, India
contact@cyble.com
+1 678 379 3241
Australia :
Cyble Pty Limited
Level 32, 367 Collins Street
Melbourne VIC 3000
Australia
contact@cyble.com
+61 3 9005 6934
Singapore:
Cyble Singapore Private Limited
38 North Canal Road, Singapore 059294
contact@cyble.com
+1 678 379 3241
© 2023. Cyble Inc. All Rights Reserved
Twitter Linkedin
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences