November 27, 2022

TheCyberThrone

Thinking Security ! Always

Aurora Info Stealer MaaS


Aurora Stealer is an info-stealing malware offered as Malware-as-a-Service by a threat actor known as Cheshire. It had many functionality not limited to data stealing and remote access capabilities.

The researchers analyzed several hundreds of collected samples and identified dozens of active C2 servers.

The infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites.

The attackers used methods to deliver the malware, including phishing websites masquerading as legitimate ones, YouTube videos and fake free software catalogue websites. It has targetted 40 applications till now.

Threat actors behind this malware also advertised its loader capabilities, the malicious code in fact is able to deploy a next-stage payload using a PowerShell command.

Aurora Stealer is becoming a prominent threats. Multiple threat actors, including traffers teams, added the malware to their arsenal.

Indicators of Compromise

  • 138.201.92[.]44:8081
  • 146.19.24[.]118:8081
  • 167.235.233[.]95:9865
  • 185.173.36[.]94:8081
  • 185.209.22[.]98:8081
  • 193.233.48[.]15:9865
  • 37.220.87[.]2:8081
  • 45.137.65[.]190:8081
  • 45.144.30[.]146:8081
  • 45.15.156[.]115:8081
  • 45.15.156[.]22:8081
  • 45.15.156[.]33:8081
  • 45.15.156[.]80:8081
  • 45.15.156[.]97:8081
  • 45.15.157[.]137:8081
  • 49.12.222[.]119:8081
  • 49.12.97[.]28:8081
  • 5.9.85[.]111:8081
  • 65.108.253[.]85:8081
  • 65.109.25[.]109:8081
  • 78.153.144[.]31:8081
  • 79.137.195[.]171:8081
  • 81.19.140[.]21:8081
  • 82.115.223[.]218:8081
  • 85.192.63[.]114:8081
  • 89.208.104[.]160:8081
  • 95.214.55[.]225:8081
  • a485913f71bbd74bb8a1bdce2e2c5d80c107da7d6c08bf088599c1ee62ccb109
  • f6b17c5c0271074fc27c849f46b70e25deafa267a060c35f1636ab08dda237d6
  • 51a2fe0ea58a7a656bc817e91913f6d6c50e947823b96a3565e7593eea2fd785
  • 73485bc0ca251edcca9e4c279cbc4876b1584fb981a5607a4bdeae156a70d082
  • 2bdba09d02482f3016df62a205a456fc5e253f5911543bf40da14a59ad2bc566
  • 459a8faa7924a25a15f64c34910324baed5c24d2fe68badd9a4a320628c08cb8
  • aa504264669e5bdbda0aac3ada1cd16964499c92d2b48d036a16ba22d79f44f6
  • 4b5450b61a1be5531d43fe36f731c78a28447b85f2466b4389ea7bbb09ecec9c
  • 04b2edcc9d62923a37ef620f622528d70edab52ccd340981490046ad3aa255e5
  • a4a3a66aee74f3442961a860b8376d2a2dc2cf3783b0829f6973e63d6d839e5
%d bloggers like this: