Aurora infostealer malware increasingly adopted by cybergangs

Cybercriminals are increasingly turning to a new Go-based information stealer named ‘Aurora’ to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads.

According to cybersecurity firm SEKOIA, at least seven notable cybergangs with significant activity have adopted Aurora exclusively, or along with Redline and Raccoon, two other established information-stealing malware families.

One of the cybergangs boasting about using Aurora — **Cybergang boasting use of Aurora along Raccoon**
*Source: SEKOIA*

The reason for this sudden rise in Aurora’s popularity is its low detection rates and general unknown status, making its infections less likely to be detected.

Simultaneously, Aurora offers advanced data-stealing features and presumably infrastructural and functional stability.

Aurora history

Aurora was first announced in April 2022 on Russian-speaking forums, advertised as a botnet project with state-of-the-art info-stealing and remote access features.

As KELA reported earlier this year, Aurora’s author was looking to form a small team of testers to ensure the final product is good enough.

However, in late August 2022, SEKOIA noticed that Aurora was advertised as a stealer, so the project abandoned its goal of creating a multi-function tool.

The highlight features listed in the promotional posts are:

Polymorphic compilation that doesn’t require crypter wrapping
Server-side data decryption
Targets over 40 cryptocurrency wallets
Automatic seed phrase deduction for MetaMask
Reverse lookup for password collection
Runs on TCP sockets
Communicates with C2 only once, during license check
Fully native small payload (4.2 MB) requiring no dependencies

The above features are geared towards high-level stealthiness, which is the main advantage of Aurora over other popular info-stealers.

The cost to rent the malware was set to $250 per month or $1,500 for a lifetime license.

Stealer analysis

Upon execution, Aurora runs several commands through WMIC to collect basic host information, snaps a desktop image, and sends everything to the C2.

**Commands Aurora executes upon launch**
*Source: SEKOIA*

Next, the malware targets data stored in multiple browsers (cookies, passwords, history, credit cards), cryptocurrency browser extensions, cryptocurrency wallet desktop apps, and Telegram.

The targeted desktop wallet apps include Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda, and Jaxx Liberty.

All stolen data is bundled in a single base64-encoded JSON file and exfiltrated to the C2 through TCP ports 8081 or 9865.

SEKOIA reports they couldn’t confirm the existence of a working file grabber as the author of the malware promises.

However, the analysts observed Aurora’s malware loader that uses “net_http_Get” to drop a new payload onto the filesystem using a random name and then use PowerShell to execute it.