BTC $63479.2080
ETH $3102.3210
BNB $553.9303
SOL $138.6944
stETH $3095.0573
XRP $0.4977
DOGE $0.1616
TON $6.5573
ADA $0.4609
AVAX $35.1800
wstETH $3604.0886
WBTC $63444.7835
TRX $0.1115
WETH $3097.1785
BCH $508.1534
DOT $6.7139
LINK $13.5848
MATIC $0.7078
UNI $7.2517
LTC $78.0969
ICP $12.3388
DAI $0.9999
CAKE $2.7613
RNDR $8.2936
FDUSD $0.9976
IMX $1.9531
ETC $26.4901
STX $2.5389
MNT $1.1217
TAO $525.3353
OKB $57.6303
FIL $6.0159
NEAR $5.2270
VET $0.0414
MKR $3079.1039
HBAR $0.0795
KAS $0.1206
WIF $2.7619
ATOM $8.1379
GRT $0.2535
CORE $2.6998
USDE $0.9998
XMR $123.1697
FET $2.0557
INJ $24.4523
XLM $0.1076
PEPE $0.0000
BTC $63479.2080
ETH $3102.3210
BNB $553.9303
SOL $138.6944
stETH $3095.0573
XRP $0.4977
DOGE $0.1616
TON $6.5573
ADA $0.4609
AVAX $35.1800
wstETH $3604.0886
WBTC $63444.7835
TRX $0.1115
WETH $3097.1785
BCH $508.1534
DOT $6.7139
LINK $13.5848
MATIC $0.7078
UNI $7.2517
LTC $78.0969
ICP $12.3388
DAI $0.9999
CAKE $2.7613
RNDR $8.2936
FDUSD $0.9976
IMX $1.9531
ETC $26.4901
STX $2.5389
MNT $1.1217
TAO $525.3353
OKB $57.6303
FIL $6.0159
NEAR $5.2270
VET $0.0414
MKR $3079.1039
HBAR $0.0795
KAS $0.1206
WIF $2.7619
ATOM $8.1379
GRT $0.2535
CORE $2.6998
USDE $0.9998
XMR $123.1697
FET $2.0557
INJ $24.4523
XLM $0.1076
PEPE $0.0000
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Aurora malware is gaining popularity in the cybercriminal arena


    Aurora is an infostealer that first appeared on Russian-language hacker forums in April 2022. Initially, the developer advertised it as a botnet with powerful functionality that allowed hackers to steal information and gain remote access to the victim's systems. However, at the end of August 2022, researchers from SEKOIA noticed that Aurora was being advertised as an infostealer. This suggests one thing - the developer decided to abandon the creation of a multifunctional tool. But the malware still has plenty of special features:

    • Polymorphic compilation;
    • Data decryption on the server side;
    • Ability to work with more than 40 crypto wallets;
    • Automatic seed phrase detection for MetaMask;
    • Implemented reverse lookup for collecting passwords;
    • The malware runs on TCP sockets;
    • The connection to C2 occurs only once, during the license check;
    • The payload is only 4.2 MB and does not require any dependencies.

    According to experts, all these features should make the attacker almost invisible to security systems, which is a huge advantage of Aurora over other popular infostealers. The price of the malware is $250 per month or $1,500 for a lifetime license.

    When launched, Aurora executes a few commands via WMIC to collect basic information about the host, takes a screenshot of the desktop, and sends everything to the attackers' C&C server. Then the malware starts looking for data stored in various browsers (cookies, passwords, search history, credit card data), crypto trading extensions, crypto wallet applications (Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda and Jaxx Liberty) and Telegram.

    All stolen data is collected into a single JSON file, encoded in base64, and sent to the attackers' C&C server via TCP ports 8081 or 9865.

    SEKOIA reports that analysts were unable to find a working file grabber promised by the developer. However, instead, an Aurora dropper was found that uses "net_http_Get" to deliver a payload to the file system under a random name, and then uses a PowerShell command to execute it.

    Now Aurora is distributed among the victims mainly through phishing sites, which are promoted by attackers through YouTube videos and phishing mailing lists.

    A complete list of indicators of compromise and sites used to distribute Aurora can be found in the SEKOIA GitHub repository.

    Author DeepWeb
    How do drugs affect the brain?
    DraftKings to refund all funds to customers affected by credential spoofing attack

    Comments 0

    Add comment