Aurora StealerBreaking NewsCyber Crimecybercrimedark webhackinghacking newsinformation security newsIT Information SecurityMaaSmalwarePierluigi Paganinisecurite informatiqueSecurity AffairsSecurity News

Aurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystem

Researchers warn of threat actors employing a new Go-based malware dubbed Aurora Stealer in attacks in the wild.

Aurora Stealer is an info-stealing malware that was first advertised on Russian-speaking underground forums in April 2022. Aurora was offered as Malware-as-a-Service (MaaS) by a threat actor known as Cheshire. It is a multi-purpose botnet with data stealing and remote access capabilities.

Aurora Stealer

Researchers at SEKOIA identified 7 traffers teams on Dark Web forums that announced the availability of the Aurora Stealer in their arsenal, a circumstance that confirms the increased popularity of the malware among threat actors.

Traffers Team Malware arsenal Launch date Last observed activity
RavenLogs Aurora, Redline 17/10/2022 14/11/2022
BrazzersLogs Aurora, Raccoon 14/11/2022 14/11/2022
DevilsTraff Aurora, Raccoon 30/10/2022 14/11/2022
YungRussia Aurora 16/10/2022 31/10/2022
Gfbg6 Aurora 14/09/2022 24/10/2022
SAKURA Aurora 10/08/2022 04/11/2022
HellRide Aurora 09/07/2022 15/07/2022

In October and November 2022, the researchers analyzed several hundreds of collected samples and identified dozens of active C2 servers. The experts also observed multiple infection chains leading to the deployment of Aurora stealer. The attackers used methods to deliver the malware, including phishing websites masquerading as legitimate ones, YouTube videos and fake “free software catalogue” websites.

“These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites.” reads the analysis by the experts.

The malware was also able to target 40 cryptocurrency wallets and applications like Telegram.

Threat actors behind this malware also advertised its loader capabilities, the malicious code in fact is able to deploy a next-stage payload using a PowerShell command.

“Aurora is another infostealer targeting data from browsers, cryptocurrency wallets, local systems, and acting as a loader. Sold at a high price on market places, collected data is of particular interest to cybercriminals, allowing them to carry out follow-up lucrative campaigns, including Big Game Hunting operations.” concludes the report. “As multiple threat actors, including traffers teams, added the malware to their arsenal, Aurora Stealer is becoming a prominent threat.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Aurora Stealer)

The post Aurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystem appeared first on Security Affairs.