Aurora Stealer

Aurora Stealer is a Golang malware that steals data from systems, including browser data, cryptocurrency wallets, and local files. It can also be a loader, dropping additional malware on compromised machines. Its adaptability and evolving techniques make it a player in the threat landscape.

Key Insights

Aurora Stealer was released in 2022 and quickly gained popularity among cybercriminals because of its ease of use and versatility. Written in Go, a language that’s known for its cross-platform capabilities, Aurora can target multiple OS’s, so more victims to hit. Its modularity allows attackers to customize its functionality, that’s why it’s a favorite among many threat actors.

Distribution

The malware is distributed through deceptive means, phishing websites that look like legitimate applications. These sites trick users into downloading the malware and compromise the system. Aurora is also spread through fake ads for popular software, so more victims to hit.

Functionalities

Once executed Aurora Stealer collects a lot of data, browser cookies, saved passwords, and cryptocurrency wallet info. It compresses the data and sends it to a command-and-control server controlled by the attacker. Its loader functionality allows it to drop additional malware, so more damage to the infected system.

Known Variants

Aurora Stealer is being sold as a Malware-as-a-Service (MaaS) on underground forums, so different threat actors have developed their own versions. No specific variant names are publicly available, but MaaS means multiple versions for different campaigns.

Mitigation Strategies

Block access to known malicious domains through DNS filtering.
Enable multi-factor authentication to secure accounts.
Back up data regularly to minimize data loss.
Educate users to recognize and avoid phishing websites and suspicious ads.

Targeted Industries or Sectors

The malware targets individuals involved in cryptocurrency transactions because it steals wallet info. It also targets IT professionals and organizations through phishing websites and malicious ads to exploit their access to sensitive data.

Associated Threat Actors

Aurora Stealer is used by many cybercriminal groups, at least 7 of them are listed on dark web forums. These groups use Aurora either alone or with other info-stealers like Redline and Raccoon to maximize their data theft.