Hackers Use Shapeshifting Tactics to Steal Information Stealing Malware

Recently, Cyble Research and Intelligence Labs (CRIL) discovered Aurora Stealer malware imitating popular applications on phishing sites to infect as many users as possible.

To target a variety of well-known applications, the threat actors behind this attack are actively changing and customizing their phishing websites.

Cyble researchers analyze Aurora, an information stealer using phishing pages based on popular applications to infect users. Aurora targets data from web browsers, crypto wallets, browser extensions, telegram & specific user directories.

Aurora – A Stealer Using Shapeshifting Tactics

On January 16th, 2023, Cyble Research and Intelligence Labs (CRIL) discovered a phishing website called “hxxps[:]/messenger-download[.]top” that was pretending to be a website for a chat application.

The following day, January 17th, 2023, it was discovered that the same phishing site was impersonating the official TeamViewer website.

When a user clicks the “Download” button on a phishing website, malicious files with the names “messenger.exe” and “teamviewer.exe” is downloaded from the associated URLs.

“The “messenger.exe” and “teamviewer.exe” files that have been downloaded are actually malicious Aurora Stealer samples, which have been padded with extra zeroes at the end to increase their size to around 260MB”, CRIL researchers.

Here, threat actors employ this technique to avoid antivirus software detection because processing larger files can be challenging for AV.

Researchers mention that the malware file uses Windows Management Instrumentation (WMI) commands to gather system information, including the operating system’s name, the graphics card’s name, and the processor’s name.

Additionally, the malware continues to gather information about the system including the username, Hardware Identification (HWID), Random-Access Memory (RAM) size, screen resolution, and IP address.

The malware also searches for specific browser-related files saved in SQLite, such as Cookies, History, Login Data, and Web Data, by querying the directories of installed browsers on the victim’s computer.

Then, the stealer begins to extract information related to crypto wallets by querying and reading files from specific directories. 

Aurora stealer also steals data from crypto wallet browser extensions. Researchers say over 100 extensions have been specifically targeted and are hard-coded into the stealer binary.

“The malware continues its data collection by searching for FTP client software, Telegram, Discord, and Steam applications in the victim’s machine and steals important information from their config and session data files”, CRIL researchers 

“The malware also grabs specific files from directories like the Desktop and Documents and takes screenshots of the victim’s system”.

Finally, the Aurora stealer then prepares the stolen data for exfiltration by converting it to JSON format, putting it in a GZIP archive, and encoding the GZIP archive in Base64.

Final Word

Malware samples are increasingly being padded with unnecessary data to make them bigger and avoid detection. Other stealers, including RedLine, Vidar, and RecordBreaker, were also found to use this tactic.

Thus, apply multi-factor authentication whenever possible, and use strong passwords. Activate the automatic software updates, and inform employees about how to defend themselves against dangers like phishing and unsafe URLs.

Block URLs like Torrent/Warez that could be used to propagate malware. Also, monitor the beacon on the network level to block data exfiltration by malware or threat actors.

Network Security Checklist – Download Free E-Book