Threat Actors Leveraging Popular Applications To Target Users
Threat Actors (TAs) are increasingly using phishing sites to trick victims into stealing sensitive information or downloading malware such as Information stealer, Remote Access Trojans (RATs), and other malware. The links to these phishing pages are often distributed via email, online ads, and other channels. Cyble Research and Intelligence Labs (CRIL) has also been regularly monitoring various phishing campaigns and discussing them. Aurora Stealer is the latest example of this that we have encountered. We have observed it using phishing sites to imitate popular applications to infect the maximum possible number of victims.
Shapeshifting Behavior
Cyble Research and Intelligence Labs (CRIL) initially identified a phishing site, “hxxps[:]//messenger-download[.]top”, that was impersonating a legitimate chat application website on January 16th, 2023.
The next day, January 17th, 2023, the same phishing site was found to be mimicking a legitimate TeamViewer website, showing that the threat actors behind this campaign are actively changing and customizing their phishing websites to target multiple popular applications.
The initial infection occurs when the user clicks on the “Download” button on the phishing website, which then downloads malware named “messenger.exe” and “teamviewer.exe” from the following URLs:
- hxxps[:]//download[.]balint[.]info[.]hu/messenger[.]exe
- hxxps[:]//kodfem[.]hemsida[.]eu/downloads/teamviewer[.]exe
The image below shows the phishing site downloading Aurora stealer with the file name “teamviewer.exe”.
The “messenger.exe” and “teamviewer.exe” files that have been downloaded are actually malicious Aurora Stealer samples, which have been padded with extra zeroes at the end to increase their size to around 260MB. TAs use this method to evade detection by antivirus software, as larger files can be harder for AV to process.
Aurora is a type of malware that aims to steal personal information; it targets data from web browsers, crypto wallets, browser extensions, Telegram, and specific user directories.
After gathering all the necessary information, it saves the data in JSON format, compresses it using GZIP, and converts it into Base64 encoding format before sending it to the Command-and-Control (C&C) server.
We have analyzed and explained the detailed behavior of Aurora in the Technical Analysis section.
Technical Analysis
We have taken the below sample hash for our analysis: (SHA256), fd17b39833ee0fae6cc8549dfa602adff3cf002cd0a0ef8fa63876ec50a74552, which is a 32-bit Golang executable file. The unique build ID of the Go compiled binary is shown below.
Upon executing the malware file, it attempts to identify if the file is running in a WINE environment by checking the wine_get_version() function via the GetProcAddress() API. Then, the malware file uses Windows Management Instrumentation (WMI) commands to gather system information, including the operating system’s name, the graphics card’s name, and the processor’s name.
- wmic os get Caption
- Returns the caption or name of the operating system
- wmic path win32_VideoController get name
- Returns the name of the video controller or graphics card on the computer
- wmic cpu get name
- Returns the name of the processor
After gathering the system details, the malware proceeds to collect additional information about the system, such as the username, Hardware Identification (HWID), Random-Access Memory (RAM) size, screen resolution, and IP address, as shown below.
After collecting system information, the malware queries the directories of installed browsers on the victim’s machine and searches for specific browser-related files stored in SQLite format 3, including:
- Cookies
- History
- Login Data
- Web Data
Then, the stealer begins to extract information related to crypto wallets by querying and reading files from specific directories. The stealer targets the following crypto wallets:
- “\\AppData\\Roaming\\Armory”
- “\\AppData\\Roaming\\bytecoin”
- “\\AppData\\Roaming\\Exodus”
- “\\AppData\\Roaming\\Ethereum\\keystore”
- “\\AppData\\Roaming\\Electrum\\wallets”
- “\\AppData\\Roaming\\com.liberty.jaxx\\IndexedDB”
- “\\AppData\\Roaming\\Guarda\\Local Storage\\leveldb”
- “\\AppData\\Roaming\\Atomic\\Local Storage\\leveldb”
- “\\AppData\\Roaming\\Zcash\\User Data\\Local State”
In addition to accessing crypto wallets through specific directories, Aurora stealer also steals data from crypto wallet browser extensions. These extensions are hard-coded into the stealer binary, and over 100 extensions have been targeted. Some of the targeted extensions are shown in the image below.
The malware continues its data collection by searching for FTP client software, Telegram, Discord, and Steam applications in the victim’s machine and steals important information from their config and session data files. The malware also grabs specific files from directories like the Desktop and Documents and takes screenshots of the victim’s system.
Finally, the Aurora stealer processes the stolen information by converting it into JSON format, creating a GZIP archive of it, and encoding the GZIP archive in Base64 format for exfiltration. The figure below illustrates the structure of the JSON content that is used by the malware to store the stolen information.
The table below describes the keys of the JSON content.
| Type | Type of the stolen data (Browser, Screenshot, files, etc.) |
| Info { Name BuildID GroupID OS HWID GPU CPU RAM Location Screen IP } | Victims’ device name Build name used by TA GroupID used by TA Operating system version Victims’ machine hardware ID Graphics card information Processor information RAM size Malware file path Victims’ machine screen resolution Victims’ system IP, empty always |
| Browser | Browser name (Chrome, brave, edge, etc.) |
| Cache | Encoded in base64 content of the stolen file |
| Type_Grab | Target file info (Cookie, Password, etc.) |
| FileP | Target browser file (Cookies, Login Data, etc.) |
Command & Control
Aurora Stealer communicates with the below C&C server IP (port 8081) and sends the stolen information.
- 45[.]15[.]156[.]210:8081
The below figure shows the network communication of the malware’s data exfiltration.
Conclusion
Information stealers are a form of malware that pose a significant threat to corporate networks by allowing unauthorized access. TAs employ various methods to deliver malware to their victims. In this case, we have observed that they are using phishing websites that mimic legitimate messenger sites to deliver Aurora Stealer.
Recently, we have seen a rise in the number of malware samples padded with unnecessary data to increase their size in order to evade detection. This technique was also observed in other stealers, such as RedLine, Vidar, and RecordBreaker.
Cyble Research and Intelligence Labs (CRIL) will continue monitoring the new malware strains and phishing campaigns in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.
Our Recommendations
- The initial infection may happen via phishing websites, so enterprises should use security products to detect phishing websites.
- Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1059 T1047 | User Execution Command and Scripting Interpreter Windows Management Instrumentation |
| Defense Evasion | T1027 T1497 | Obfuscated Files or Information Virtualization/Sandbox Evasion |
| Credential Access | T1003 T1056 T1552 | OS Credential Dumping Input Capture Credentials in Registry |
| Discovery | T1082 T1518 T1083 T1087 | System Information Discovery Security Software Discovery File and Directory Discovery Account Discovery |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071 T1095 | Application Layer Protocol Non-Application Layer Protocol |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| b810b7d416251367ef790bc9a8a9830a69760ba5c1b83055e9a0647270629d9c | Sha256 | messenger.exe |
| fd17b39833ee0fae6cc8549dfa602adff3cf002cd0a0ef8fa63876ec50a74552 | Sha256 | messenger.exe removed zero padding |
| 44b64cb2be0a5e9fd51528f00a308df71ead226c7cf733ed2568ada07c9044a8 | Sha256 | teamviewer.exe |
| c7f43e2afe62a622f77f888f56712a41aec56d5a765a95585f69e870359119c9 | Sha256 | teamviewer.exe removed zero padding |
| hxxps[:]//messenger-download[.]top | Domain | Phishing site |
| hxxps[:]//download[.]balint[.]info[.]hu/messenger[.]exe | URL | Malware download URL |
| hxxps[:]//kodfem[.]hemsida[.]eu/downloads/teamviewer[.]exe | URL | Malware download URL |
| 45[.]15[.]156[.]210:8081 | IP: Port | C&C |
Comments are closed.