Sekoia analysts warn that Aurora malware written in Go is gaining popularity among attackers. This malware steals confidential information from browsers and cryptocurrency applications, and is also capable of extracting data directly from disks and downloading additional payloads to the victim’s machine.
According to researchers, at least seven active hack groups use Aurora exclusively, or combine this malware with Redline and Raccoon (two other known malware families for stealing information).
Apparently, the reason for the rapid growth in popularity of Aurora was the low detection rates. In addition, the malware offers criminals advanced features for data theft and, presumably, infrastructure and functional stability. The cost of renting the malware is $250 per month or $1,500 for a lifetime license.
The appearance of Aurora was first announced in April 2022 on Russian-language hack forums, where the malware was advertised as a botnet with unique features for stealing information and remote access. According to KELA, the author of Aurora even formed a small team of testers earlier this year to make sure the "final product" turned out well.
Later, in August 2022, Sekoia researchers noticed that Aurora was already being advertised as an infostealer, which means that the authors of the project apparently abandoned the idea of creating a multifunctional tool.
The main features of Aurora listed in the advertisement are as follows:
Once in the system, Aurora runs a few commands through WMIC to collect basic information about the host, then takes a screenshot of the desktop and sends it all to the command and control server.
After that, the malware tries to steal data stored in browsers (cookies, passwords, history, bank cards), cryptocurrency extensions for browsers, as well as desktop cryptocurrency wallets and Telegram. Target applications include Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda, and Jaxx Liberty.
All stolen data is combined into a single base64-encoded JSON file and transmitted to the command and control server via TCP ports 8081 or 9865.
Experts say they have not been able to confirm the existence of a working file grabber advertised by the malware author. However, analysts have noticed a malware downloader that uses net_http_Get to download additional payloads to a randomly named filesystem and then uses PowerShell to execute them.
Currently, Aurora is being distributed among victims in a variety of ways (which is not surprising, given that the malware is used by at least seven different groups). For example, experts have discovered cryptocurrency-related phishing sites advertised with phishing emails and YouTube videos. These sites link to various fake software and cheat catalog sites.
A complete list of indicators of compromise and similar sites through which Aurora is distributed is available on GitHub.
According to researchers, at least seven active hack groups use Aurora exclusively, or combine this malware with Redline and Raccoon (two other known malware families for stealing information).
Apparently, the reason for the rapid growth in popularity of Aurora was the low detection rates. In addition, the malware offers criminals advanced features for data theft and, presumably, infrastructure and functional stability. The cost of renting the malware is $250 per month or $1,500 for a lifetime license.
The appearance of Aurora was first announced in April 2022 on Russian-language hack forums, where the malware was advertised as a botnet with unique features for stealing information and remote access. According to KELA, the author of Aurora even formed a small team of testers earlier this year to make sure the "final product" turned out well.
Later, in August 2022, Sekoia researchers noticed that Aurora was already being advertised as an infostealer, which means that the authors of the project apparently abandoned the idea of creating a multifunctional tool.
The main features of Aurora listed in the advertisement are as follows:
- polymorphic compilation that does not require a cryptor;
- data decryption on the server side;
- attacks on 40+ cryptocurrency wallets;
- automatic processing of seed phrases for MetaMask
- works on TCP sockets;
- refers to the C&C only once, during the license check;
- native and small payload (4.2 MB) requiring no dependencies.
Once in the system, Aurora runs a few commands through WMIC to collect basic information about the host, then takes a screenshot of the desktop and sends it all to the command and control server.
After that, the malware tries to steal data stored in browsers (cookies, passwords, history, bank cards), cryptocurrency extensions for browsers, as well as desktop cryptocurrency wallets and Telegram. Target applications include Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda, and Jaxx Liberty.
All stolen data is combined into a single base64-encoded JSON file and transmitted to the command and control server via TCP ports 8081 or 9865.
Experts say they have not been able to confirm the existence of a working file grabber advertised by the malware author. However, analysts have noticed a malware downloader that uses net_http_Get to download additional payloads to a randomly named filesystem and then uses PowerShell to execute them.
Currently, Aurora is being distributed among victims in a variety of ways (which is not surprising, given that the malware is used by at least seven different groups). For example, experts have discovered cryptocurrency-related phishing sites advertised with phishing emails and YouTube videos. These sites link to various fake software and cheat catalog sites.
A complete list of indicators of compromise and similar sites through which Aurora is distributed is available on GitHub.
