Malware News 'Aurora' Go-Based InfoStealer Finds Favor Among Cyber-Threat Actors

upnorth

Moderator
Thread author
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
5,272
A growing number of cybercriminal groups are turning to an information stealer named Aurora, which is based on the Go open source programming language, to target data from browsers, cryptocurrency wallets, and local systems.

A research team at cybersecurity firm Sekoia discovered at least seven malicious actors, which it refers to as "traffers," that have added Aurora into their infostealer arsenal. In some cases, it's being used in conjunction with the Redline or Raccoon infostealers as well. More than 40 cryptocurrency wallets, and applications like Telegram, have been successfully targeted so far, according to the report, which highlighted Aurora's relative unknown status and elusive nature as tactical advantages. Aurora was first discovered by the company in July and is thought to have been promoted on Russian-speaking forums since April, where its remote access features and advanced infomation-stealing capabilities were touted.

"In October and November 2022, several hundreds of collected samples and dozens of active C2 servers contributed to confirm SEKOIA.IO['s] previous assessment that Aurora stealer would become a prevalent infostealer," the company's blog post explained. "As multiple threat actors, including traffers teams, added the malware to their arsenal, Aurora Stealer is becoming a prominent threat."
 

Gandalf_The_Grey

Level 64
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,379
The report also noted that cybercriminal threat actors have been distributing it using multiple infection chains. These run the gamut from phishing websites masquerading as legitimate ones, to YouTube videos and fake "free software catalog" websites.

"These infection chains leverage phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites," the blog post continued.

The company's analysis also highlights two infection chains currently distributing the Aurora stealer in the wild, one through a phishing site impersonating Exodus Wallet and another from a YouTube video from a stolen account on how to install cracked software for free.
 
Top