May 28, 2023

Aurora Stealer is an info-stealing malware offered as Malware-as-a-Service by a threat actor known as Cheshire. It had many functionality not limited to data stealing and remote access capabilities.

The researchers analyzed several hundreds of collected samples and identified dozens of active C2 servers.

The infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites.

The attackers used methods to deliver the malware, including phishing websites masquerading as legitimate ones, YouTube videos and fake free software catalogue websites. It has targetted 40 applications till now.

Threat actors behind this malware also advertised its loader capabilities, the malicious code in fact is able to deploy a next-stage payload using a PowerShell command.

Aurora Stealer is becoming a prominent threats. Multiple threat actors, including traffers teams, added the malware to their arsenal.

Indicators of Compromise

  • 138.201.92[.]44:8081
  • 146.19.24[.]118:8081
  • 167.235.233[.]95:9865
  • 185.173.36[.]94:8081
  • 185.209.22[.]98:8081
  • 193.233.48[.]15:9865
  • 37.220.87[.]2:8081
  • 45.137.65[.]190:8081
  • 45.144.30[.]146:8081
  • 45.15.156[.]115:8081
  • 45.15.156[.]22:8081
  • 45.15.156[.]33:8081
  • 45.15.156[.]80:8081
  • 45.15.156[.]97:8081
  • 45.15.157[.]137:8081
  • 49.12.222[.]119:8081
  • 49.12.97[.]28:8081
  • 5.9.85[.]111:8081
  • 65.108.253[.]85:8081
  • 65.109.25[.]109:8081
  • 78.153.144[.]31:8081
  • 79.137.195[.]171:8081
  • 81.19.140[.]21:8081
  • 82.115.223[.]218:8081
  • 85.192.63[.]114:8081
  • 89.208.104[.]160:8081
  • 95.214.55[.]225:8081
  • a485913f71bbd74bb8a1bdce2e2c5d80c107da7d6c08bf088599c1ee62ccb109
  • f6b17c5c0271074fc27c849f46b70e25deafa267a060c35f1636ab08dda237d6
  • 51a2fe0ea58a7a656bc817e91913f6d6c50e947823b96a3565e7593eea2fd785
  • 73485bc0ca251edcca9e4c279cbc4876b1584fb981a5607a4bdeae156a70d082
  • 2bdba09d02482f3016df62a205a456fc5e253f5911543bf40da14a59ad2bc566
  • 459a8faa7924a25a15f64c34910324baed5c24d2fe68badd9a4a320628c08cb8
  • aa504264669e5bdbda0aac3ada1cd16964499c92d2b48d036a16ba22d79f44f6
  • 4b5450b61a1be5531d43fe36f731c78a28447b85f2466b4389ea7bbb09ecec9c
  • 04b2edcc9d62923a37ef620f622528d70edab52ccd340981490046ad3aa255e5
  • a4a3a66aee74f3442961a860b8376d2a2dc2cf3783b0829f6973e63d6d839e5
Tags:

Leave a Reply

You may have missed

Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023
Apria Data Breach affects 2 million customers

Apria Data Breach affects 2 million customers

May 27, 2023
CosmicEnergy Malware Shutting Electric grid

CosmicEnergy Malware Shutting Electric grid

May 27, 2023
Operation Magalenha from Brazil

Operation Magalenha from Brazil

May 27, 2023
Buhti Ransomware Dissection

Buhti Ransomware Dissection

May 26, 2023
Volt Typhoon – Chinese Threat Actor Targetting US Infra

Volt Typhoon – Chinese Threat Actor Targetting US Infra

May 25, 2023
%d bloggers like this: