Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Since December 2022, the eSentire Threat Response Unit (TRU) has observed Aurora Stealer malware infections in the manufacturing industry. It's distributed via fake Google Ads for Notepad++ installer. Aurora Stealer gathers sensitive data, including cookies, autofill information, and encrypted passwords from browsers such as Opera, Brave, Mozilla Firefox, Chrome, etc. However, it is worth noting that the stealer does not collect credentials from Mozilla Firefox.
The malware is priced at $125USD per month, $300USD for 3 months access, and $1,000USD for lifetime access. In order to avoid detection from antivirus scanners, the binary code is filled with junk bytes to increase the file size.
This malware analysis delves deeper into the technical details of how the Aurora Stealer malware operates and our security recommendations to protect your organization from being exploited.
Drive-by downloads are becoming increasingly common as attackers find new ways to access and exfiltrate sensitive data.
Since December 2022, the eSentire Threat Response Unit (TRU) has observed several Aurora Stealer infections in the manufacturing industries. The stealer is distributed via Google Ads as a fake Notepad++ installer, TeamViewer, Nvidia Driver, etc. (Figures 1-3)
The stealer uses the Cheshire cat from Alice in Wonderland as its mascot and began appearing for sale on Russian-speaking forums in early 2022. The stealer is written in Golang, capable of stealing over 90 crypto wallets, and has an embedded Loader module that includes the downloader and PowerShell; the developer claims that the stealer does not need any dependencies to function.
The stealer also has a web panel, which does not require the operator to work directly from the dedicated server called “dedik” as slang in Russian hacking forums (Russian: дедик). The dedicated server is the one hosting the stealer and processing the logs. The stealer is priced $125 for one month of access, $300 for 3 months of access, and $1000 for lifetime access. The stealer does not work in Russia and CIS (Commonwealth of Independent States) countries (Figures 4-6).
At the time of this writing, the malware developer advertised that the pre-orders come with lifetime access to Aurora Botnet and Aurora Stealer, including all the modules such as DDoS, SiteScanner, Loader, Brute Force, PowerShell/CMD execution, etc. (Figure 7).
The cost for the pre-order is $1000. The botnet is a separate panel that allows an attacker to execute remote commands and perform specific tasks on the hosts, remote in using hVNC/HRDP/RDP/VNC (Figures 8-10).
The Aurora stealer login can also be seen in Figure 11. A snippet of the Aurora manual for setting up and leveraging the malware can be seen in Figure 12.
Aurora Stealer is spread via installs (Russian: инсталл), also known as Pay-Per-Install (PPI) services, traffers (Russian: трафферы), or Google Ads. Pay-Per-Install (PPI) is a type of online advertising model where advertisers pay publishers a commission for every installation of their software or application that occurs as a result of the publisher's promotion. The end-user would be redirected to an attacker’s landing page (Russian slang: ленд), where they download the malicious stealer payload.
The installs can also spread the stealer via the already infected hosts. The hosts can be infected with other malware families such as RATs (Remote Access Trojans). One of the popular install services that Aurora Stealer uses is InstallLabs (Figure 13).
Traffers are groups of people that are responsible for spreading the stealers via the links to the download pages via social media platforms such as Facebook and YouTube. The worker (Russian: воркер) is the individual within the traffics group that is responsible for spreading the stealer.
To evade antivirus scanners, the attacker(s) usually fill the stealer binary with junk bytes to increase the file size, archive, and password-protect it. Aurora Stealer allows users to pack or add junk bytes into the build (stealer payload) to increase the file size for detection and sandbox evasion (Figure 14).
The increase in the file size can significantly impact the stealer execution rate (Russian: отстук). The stealer execution rate is used to assess the quality of data transmission from the sender to the server. The better the quality of data transmission, the higher likelihood that the attacker receives all the stolen logs.
The attacker(s) can bypass SmartScreen controls by purchasing an EV certificate. SmartScreen is a security feature in Microsoft Windows that warns users about potentially unsafe websites and downloads. It uses a database of known threats and machine learning algorithms to identify new and suspicious behavior.
An EV (Extended Validation) certificate is a type of digital certificate used to authenticate and secure online communication. It verifies the identity of a website's owner and displays a green address bar in the browser to indicate that the site is trustworthy. Commonly used by financial and e-commerce websites, EV certificates are considered the highest level of validation and can be expensive to purchase (Figure 15).
EV certificates can also be used to bypass User Account Control (UAC) alerts, which is a security feature in Windows operating systems that helps prevent unauthorized changes to a computer. When a user attempts to perform an action that requires elevated permissions, such as installing software or changing system settings, a UAC alert appears on the screen, asking the user to confirm the action.
The infection starts with the basic reconnaissance commands spawning from wmic.exe and cmd.exe (Figure 16):
As mentioned before, the stealer binary is written in Go Programming language, the stealer binary without any size pumping and crypting, which involves obfuscating and encrypting the binary, is 2.96 MB in size.
The Aurora developer(s) offer their own crypting service for $40/1 crypt, $300/10 crypts (Figure 17).
The function responsible for enumerating the GPU, CPU, and the caption of the operating system (gets the OS information) is shown in Figures 18-20. The gathered information is then sent to the stealer’s panel and is contained in a text file named “UserInformation”.
The stealer mainly uses win, the Windows API package for Go, to perform specific tasks such as taking the screenshot of the host using the APIs such as CompatibleBitmap, CreateCompatibleDC, GetDC, and BitBlt (Figure 21).
The stealer retrieves the GUID of the infected machine via querying for the MachineGuid parameter under SOFTWARE\Microsoft\Cryptography (Figure 22).
The functions shown below are responsible for getting the infected machine's screen size and containing the Build ID, Build Group. The collected information is also written in the “UserInformation” text file (Figure 23).
Aurora Stealer gathers sensitive data, including cookies, autofill information, and encrypted passwords from browsers such as Opera, Brave, Mozilla Firefox, Chrome, etc. The gathered information is temporarily stored under the %temp% folder (Figure 24). However, it is worth noting that the stealer does not collect credentials from Mozilla Firefox.
Under the function main_getMasterKey, we can see the references to os_crypt, encrypted_key, and DPAPI (Figure 25).
DPAPI (Data Protection Application Programming Interface) is used, for example, to store cookies and password information for Chrome browsers DPAPI uses APIs CryptProtectData and CryptUnprotectData to encrypt and decrypt data accordingly.
Chrome stores the DPAPI-encrypted AES key, which is the Master Key under os_encrypted.encrypted_key in a base64-encoded format. To be able to decrypt the saved credentials and cookies, Aurora Stealer needs to decode the base64-encoded string and call the CryptUnprotectData function, then remove the padding from the master key.
Aurora Stealer has multiple Grabber functions that are responsible for collecting additional data such as crypto wallets, screenshots, files, Telegram, etc. (Figure 26)
The stealer also grabs the files from the folder “Windows.old” which stores the backup copy of the previous Windows installation if applicable (Figure 27).
This grabber function searches for crypto wallets under AppData\Roaming (Figure 28), for example, for leveldb files that store the private keys:
Below is the grabber function for the Telegram tdata folder that would let the attacker authenticate into the victim’s Telegram on the Desktop version by placing the tdata folder in the same folder as the Telegram client (Figure 29).
Just like other stealers such as Redline, Raccoon Stealer, and Vidar Stealer, Aurora Stealer has two modules: grabber and loader. The grabber module retrieves the files or folders specified by an attacker. The gathered files/folders would then be archived in a zip file named temp.zip, stored under %userprofile% (Figure 30-31).
The “END_PACKET_ALL_SEND” message is likely used for debugging logs.
The stealer stores the loader (Figure 32), grabber, and the general configuration information within the build in the base64-encoded form (Figure 33). The loader module has two options:
The Loader module, where:
The loader downloader module pulls an executable from the file hosting server at the end of the stealer execution and places it under the %temp% folder. The stealer executes the secondary payload using “start-process” Powershell cmdlet, as shown in Figure 34.
The Grabber module configuration contains the path specified by an attacker to grab certain files/folders from. “FoF” parameter is likely the marker for whether the file folder grabber is specified (Figure 35).
Aurora Stealer stores its build configuration at the end of the binary in the base64-encoded format (Figure 36). However, the configuration will likely be stripped if the stealer is encrypted.
We wrote the configuration extractor script in Python for Aurora Stealer that looks for base64-encoded patterns within the binary.
The function main_ConnectToServer attempts to connect to the C2 server while printing the log messages, it sleeps after attempting to reconnect for one second and retries if the connection is unsuccessful (Figure 37).
If the connection is successful, the function exits with code “666” and log message “BLACK ZONE”.
main_PathTrans function is responsible for replacing the strings such as ^user^, ^document^, and ^desktop^ within the Grabber configuration with the paths of Desktop, Document, and %userprofile% (Figure 38).
In March 2023, the stealer developer released the first update since October 2022, as shown in Figure 39.
One of the major changes is the stealer’s capabilities to grab FTP (FileZilla) and RDP credentials as well as the ability to change the ports to the stealer’s panel and C2 communications and specify extensions, disk drives for the grabber module (Figure 40-41).
Besides the WMIC commands mentioned at the beginning of this report, the stealer developer added two new commands to run upon the execution of the malware:
Upon the execution of the stealer, PowerShell processes are spawned to copy the browsing data such as cookies, history, and credentials to AppData\Local\Temp directory under a randomly named folder, the example command:
Aurora Stealer uses port 8081 for default communication with the C2 server, so prior to the stealer installation on the attacker’s server, it’s required to enable port 8081 through the firewall for the incoming traffic (Figure 42).
The stealer logs are sent to the C2 server in JSON format, GZIP-compressed and base64-encoded. The stealer logs are stored in the Aurora build folder in the format [Country]HWID_BuildID (Figure 43-44).
The cache folder contains the database files extracted from the infected host with cookies and credentials in the encrypted format as well as debug logs (Figure 45).
The stealer can also be configured to send stealer logs via Telegram where CDD is the “Cookies Detected” and PDD is the “Passwords detected”.
The attacker(s) can also configure to receive the stealer logs via Telegram (Figure 46).
Our Threat Response Unit (TRU) combines threat intelligence gained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against Aurora Stealer malware:
While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
rule AuroraStealer { meta: author = "eSentire Threat Intelligence" description = "Detects the Build/Group IDs if present / detects an unobfuscated AuroraStealer binary; tested on version 22.12.2022 and March 2023 update" date = "3/24/2023" strings: $b1 = { 48 8D 0D ?? ?? 04 00 E8 ?? ?? EF FF } $b2 = { 48 8D 0D ?? ?? 05 00 E8 ?? ?? EF FF } $ftp = "FOUND FTP" $go = "Go build ID" $machineid = "MachineGuid" condition: 3 of them }
MITRE ATT&CK Tactic |
ID |
MITRE ATT&CK Technique |
Description |
MITRE ATT&CK TacticReconnaissance |
IDT1592 |
MITRE ATT&CK TechniqueGather Victim Host Information |
DescriptionDuring initial execution, Aurora Stealer gathers the information on the OS, processor name and video controller |
MITRE ATT&CK TacticInitial Access |
IDT1189 |
MITRE ATT&CK TechniqueDrive-by Compromise |
DescriptionAurora Stealer is delivered via a website hosting a fake software installer |
MITRE ATT&CK TacticDefense Evasion |
IDT1027.001 |
MITRE ATT&CK TechniqueBinary Padding |
DescriptionAurora Stealer contains the file pump feature upon creating the build to add null bytes to the stealer payload |
MITRE ATT&CK TacticCredential Access |
IDT1555 |
MITRE ATT&CK TechniqueCredentials from Web Browsers |
DescriptionAurora Stealer steals sensitive data from browsers including credentials, cookies and saved credit cards as well as FTP and RDP credentials |
MITRE ATT&CK TacticDiscovery |
IDT1082 |
MITRE ATT&CK TechniqueSystem Information Discovery |
DescriptionThe stealer enumerates the host for hardware and geographical information as well as the screen size |
MITRE ATT&CK TacticCollection |
IDT1113 |
MITRE ATT&CK TechniqueScreen Capture |
DescriptionThe stealer takes the screenshot from the infected machine and sends it to the C2 |
MITRE ATT&CK TacticExfiltration |
IDT1020 |
MITRE ATT&CK TechniqueAutomated Exfiltration |
DescriptionThe stealer automatically exfiltrates the gathered files to C2. File grabbing options can be customized by an attacker |
Name | Indicators |
Aurora Stealer | 306fc85ff1c7e06f631c37d60d4ad98b |
Aurora Stealer | da1548613d5fa9520931952675f92ca9 |
Aurora Stealer | 16b349b80ef9e6d6a86e768b4e01fc4c |
Aurora Stealer | aa349ad45bb48e85b5cd1b55308ae835353859219f28ece9685c8ae552e8e63a |
C2 | 212.87.204.93:8081 |
C2 | 185.106.93.245:8081 |
C2 | 185.106.93.135:8081 |
C2 | 195.123.218.52:8081 |
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.