Researchers at SEKOIA identified 7 traffers teams on Dark Web forums that announced the availability of the Aurora Stealer in their arsenal, a circumstance that confirms the increased popularity of the malware among threat actors.
What is Aurora Stealer Malware does?
Aurora initially started as a multi-purpose botnet with stealing, downloading, and remote access capabilities in April.
It initially fingerprints the system using Windows Management Instrumentation Command (WMIC). It then attempts to collect data from browsers, browser extensions, and Telegram, and searches several user directories for interesting files to grab.
Once Aurora has completed the information gathering, it sends messages to the Command and Control (C2) server with information formatted in JSON, followed by base64 encoded copies of all of the files identified by the grabber to collect. The final step includes downloading a remote payload and loading it via PowerShell to continue the attack chain.
The report found that the execution of Aurora prompts the operation of several commands for information collection, with the malware aiming at browser-stored data, as well as data in cryptocurrency wallet desktop apps, such as Ethereum and Zcash, cryptocurrency browser extensions, and Telegram.
IoCs
138.201.92[.]44:8081
146.19.24[.]118:8081
167.235.233[.]95:9865
185.173.36[.]94:8081
185.209.22[.]98:8081
193.233.48[.]15:9865
37.220.87[.]2:8081
45.137.65[.]190:8081
45.144.30[.]146:8081
45.15.156[.]115:8081
45.15.156[.]22:8081
45.15.156[.]33:8081
45.15.156[.]80:8081
45.15.156[.]97:8081
45.15.157[.]137:8081
49.12.222[.]119:8081
49.12.97[.]28:8081
5.9.85[.]111:8081
65.108.253[.]85:8081
65.109.25[.]109:8081
78.153.144[.]31:8081
79.137.195[.]171:8081
81.19.140[.]21:8081
82.115.223[.]218:8081
85.192.63[.]114:8081
89.208.104[.]160:8081
95.214.55[.]225:8081
Aurora SHA256
a485913f71bbd74bb8a1bdce2e2c5d80c107da7d6c08bf088599c1ee62ccb109
f6b17c5c0271074fc27c849f46b70e25deafa267a060c35f1636ab08dda237d6
51a2fe0ea58a7a656bc817e91913f6d6c50e947823b96a3565e7593eea2fd785
73485bc0ca251edcca9e4c279cbc4876b1584fb981a5607a4bdeae156a70d082
2bdba09d02482f3016df62a205a456fc5e253f5911543bf40da14a59ad2bc566
459a8faa7924a25a15f64c34910324baed5c24d2fe68badd9a4a320628c08cb8
aa504264669e5bdbda0aac3ada1cd16964499c92d2b48d036a16ba22d79f44f6
4b5450b61a1be5531d43fe36f731c78a28447b85f2466b4389ea7bbb09ecec9c
04b2edcc9d62923a37ef620f622528d70edab52ccd340981490046ad3aa255e5
a4a3a66aee74f3442961a860b8376d2a2dc2cf3783b0829f6973e63d6d839e5b
Leave A Comment