Aurora Infostealer
admin 1 year ago
admin #news

Malware Campaign Uncovered: Attackers Exploit YouTube to Distribute Aurora Infostealer

This article covers a malware campaign discovered by CloudSEK and investigated by Morphisec. Attackers use YouTube to distribute hacked software with malicious links. We describe the workings of the malicious downloader and evasion techniques used.

In mid-March, we discussed the malware campaign uncovered by CloudSEK in general terms. The attackers shared instructions for hacking popular software such as Photoshop, Premiere Pro, 3ds Max, and AutoCAD on the YouTube video hosting platform, accompanied by malicious links.


Morphisec cybersecurity researchers investigated the same campaign and detailed how a malicious downloader called "in2al5d p3in4er" (pronounced "invalid printer") works. The downloader is utilized by the attackers to distribute the Aurora infostealer, a Go-based information stealer that surfaced in the wild (ITW) in late 2022.


As we previously reported, the attackers use hacked or "deceptive" YouTube channels with a large number of subscribers, along with avatars that use a robotic voice generated by the program. While other options for videos leading to downloading password-protected archives from legitimate file hosting services like MediaFire exist on the vastness of video hosting platforms, in some cases, links to YouTube lead to phishing sites with a catalog of hacked software, as noted by experts.


Morphisec told that the loader uses a very simple but really effective evasion technique. It requests the vendor ID of the installed video card and compares it to the whitelist, particularly for NVIDIA, AMD, and Intel video cards. If the provider ID does not match the whitelisted values, the loader poses as a secure application and exits.


In contrast, in2al5d p3in4er decrypts the final payload and injects it into the legitimate "sihost.exe" process using Process Hollowing. Alternatively, certain loader instances also write the decrypted payload to allocated memory space and then call it from there.


The use of Embarcadero RAD Studio for compilation is another important aspect of the bootloader, allowing in2al5d p3in4er to avoid detection. This bootloader can also bypass sandboxes and virtual machines.


Apparently, the attackers behind this uploader continue to be very successful in exploiting social engineering methods since malicious videos are still available on YouTube. Furthermore, even VirusTotal frequently fails to recognize in2al5d p3in4er as a threat. Thus, the only genuine protection against malware is to completely abstain from downloading cracked software.

0
576
DogeRAT: A New Mobile Remote Access Trojan Targeting Android Users in India

DogeRAT: A New Mobile Remote Access Trojan Targeting Android Users in...

1673775682.png
admin
1 year ago
Blacklotus Windows UEFI Malware Source Code Leaked From Darkweb Forum

Blacklotus Windows UEFI Malware Source Code Leaked From Darkweb Forum

1673775682.png
admin
11 months ago
Mockingjay: Bypass EDR Obstacles And Executes Malicious Code

Mockingjay: Bypass EDR Obstacles And Executes Malicious Code

1673775682.png
admin
11 months ago
AhRat Android Trojan Infects 50,000 Smartphones via Google Play Store

AhRat Android Trojan Infects 50,000 Smartphones via Google Play Store

1673775682.png
admin
1 year ago
Stealthy New Trojan SeroXen RAT Bypasses Antiviruses and Gives Hackers Full Access to Targeted Computers

Stealthy New Trojan SeroXen RAT Bypasses Antiviruses and Gives Hackers...

1673775682.png
admin
1 year ago