A growing number of cybercriminal groups are turning to an information stealer named Aurora, which is based on the Go open source programming language, to target data from browsers, cryptocurrency wallets, and local systems.
A research team at cybersecurity firm Sekoia discovered at least seven malicious actors, which it refers to as “traffers,” that have added Aurora into their infostealer arsenal. In some cases, it’s being used in conjunction with the Redline or Raccoon infostealers as well.
More than 40 cryptocurrency wallets, and applications like Telegram, have been successfully targeted so far, according to the report, which highlighted Aurora’s relative unknown status and elusive nature as tactical advantages.
Aurora was first discovered by the company in July and is thought to have been promoted on Russian-speaking forums since April, where its remote access features and advanced infomation-stealing capabilities were touted.
“In October and November 2022, several hundreds of collected samples and dozens of active C2 servers contributed to confirm SEKOIA.IO[‘s] previous assessment that Aurora stealer would become a prevalent infostealer,” the company’s blog post explained. “As multiple threat actors, including traffers teams, added the malware to their arsenal, Aurora Stealer is becoming a prominent threat.”
The report also noted that cybercriminal threat actors have been distributing it using multiple infection chains. These run the gamut from phishing websites masquerading as legitimate ones, to YouTube videos and fake “free software catalog” websites.
“These infection chains leverage phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites,” the blog post continued.
The company’s analysis also highlights two infection chains currently distributing the Aurora stealer in the wild, one through a phishing site impersonating Exodus Wallet and another from a YouTube video from a stolen account on how to install cracked software for free.
The malware uses a simple file-grabber configuration to gather a list of directories to search for files of interest. It then communicates using TCP connection on ports 8081 and 9865, with 8081 being the most widespread open port. The exfiltrated files are then encoded in base64 and sent to the command-and-control server (C2).
The collected data is offered at high prices on various marketplaces to cybercriminals looking to carry out lucrative follow-up campaigns, in so-called “big-game hunting” operations that go after large companies and government-sector targets, according to the researchers.
Open Source Malware Rising in Popularity
A growing number of malicious actors are building malware and ransomware with open source programming languages like Go, which offers increased flexibility.
Go’s cross-platform capability enables a single codebase to be compiled into all major operating systems. This makes it easy for threat actors, such as the ones behind BianLian, to make constant changes and add new capabilities to a malware to avoid detection.
The operators of the cross-platform BianLian ransomware have actually increased their C2 infrastructure in recent months, indicating an acceleration in their operational pace.
Uncommon programming languages — including Go, Rust, Nim, and DLang — are also becoming favorites among malware authors seeking to bypass security defenses or address weak spots in their development process, according to a report last year from BlackBerry.