"YouTube Videos Using Highly Evasive Loader to Distribute Aurora Stealer Malware"
Cybersecurity researchers have detailed the inner workings of the evasive loader known as "in2al5d p3in4er" that is used to deliver the Aurora information-stealing malware. According to a report from the cybersecurity company Morphisec, the loader is compiled with Embarcadero RAD Studio and targets endpoint workstations with an advanced anti-VM (virtual machine) technique. Aurora, the Go-based information stealer, first appeared in late 2022. It is distributed via YouTube videos and Search Engine Optimization (SEO) poisoning, with websites offering fake cracked software downloads to other attackers as a commodity virus. When a victim clicks on a link in a YouTube video description, they are redirected to a fake website where they are persuaded to download malware posing as a useful tool. The loader examined by Morphisec inquires about the vendor ID of the installed graphics card and compares it to a list of allowlisted vendor IDs (i.e., AMD, Intel, or NVIDIA). The loader terminates itself if the value is incorrect. The loader ultimately uses the process hollowing technique to decode the final payload and inject it into the legitimate process "sihost.exe." The research highlights that the threat actors behind in2al5d p3in4er loader are using social engineering techniques for a high-impact campaign, which involves YouTube being used as a malware distribution channel. This article continues to discuss attackers using YouTube to deliver the in2al5d p3in4er loader and Aurora information-stealing malware.