"Hot Ticket: 'Aurora' Go-Based Info-Stealer Finds Favor Among Cyber-Threat Actors"
Cybercriminal organizations are increasingly using Aurora, an information stealer built on the Go open-source programming language, to target data from browsers, cryptocurrency wallets, and local systems. Sekoia's research team discovered at least seven malicious actors, known as "traffers," who added Aurora to their information stealer tools. It is also being used with the Redline or Raccoon information stealers in some cases. According to the report, over 40 cryptocurrency wallets and applications such as Telegram have been successfully targeted thus far, with Aurora's relatively unknown status and evasive nature serving as tactical advantages. Aurora was discovered in July, and it is suspected to have been promoted on Russian-speaking forums since April, where its remote access features and advanced information-stealing capabilities were highlighted. Hundreds of collected samples and dozens of active command-and-control (C2) servers helped to confirm Sekoia's previous prediction that Aurora stealer would become a common information-stealer in October and November 2022. The Aurora stealer is becoming a prominent threat as multiple threat actors, including traffers teams, add the malware to their arsenal. According to the report, cybercriminal threat actors have been spreading it through multiple infection chains, including phishing websites masquerading as legitimate, YouTube videos, and fake "free software catalog" websites. The company's analysis also identifies two infection chains currently distributing the Aurora stealer in the wild, one via a phishing site impersonating Exodus Wallet and the other via a YouTube video from a stolen account demonstrating how to install cracked software for free. The malware gathers a list of directories to search for files of interest using a simple file-grabber configuration. It then communicates via Transmission Control Protocol (TCP) connections on ports 8081 and 9865, with 8081 being the most commonly available open port. The files that have been exfiltrated are then encoded in base64 and sent to the C2. This article continues to discuss findings surrounding the Aurora stealer.