One of the most recent discoveries was the Aurora Stealer malware, which imitated popular applications in order to infect as many users as possible.
Cyble researchers discovered that threat actors are actively changing and customizing their phishing websites in order to target a wide range of well-known applications. Aurora is interested in data from web browsers and cryptocurrency wallets, among other things.
Aurora, the Shapeshifting Thief
Aurora has been marketed as a stealer on Telegram and darknet forums since late August 2022. Malware-as-a-service costs $250 per month or $1500 for a lifetime license.
Cyble Research and Intelligence Labs (CRIL) discovered a phishing website (hxxps[:]/messenger-download[.]top) claiming to be a website for a chat app on January 16th, 2023. The next day, the same webpage impersonated the official TeamViewer website.
According to the researchers' report, the malware file gathers system information using Windows Management Instrumentation (WMI) commands, including the operating system's name, the graphics card's name, and the processor's name.
Furthermore, the malware persists in collecting system information such as the username, Hardware Identification (HWID), RAM size, screen resolution, and IP address. Furthermore, the malware searches the installed directories for specific browser-related files saved in SQLite, such as Cookies, History, Login Data, and Web Data by scanning the directories of installed browsers on the victim's computer.
The stealer then continues to extract crypto wallet data by querying and reading files from specific directories. It also grabs information from cryptocurrency wallet browser extensions. As per researchers, over 100 extensions have been specifically targeted and hard coded into the stealer binary.
Other stealers, such as RedLine, Vidar, and RecordBreaker, have been found padding malware samples with unnecessary data in order to avoid detection, according to CSN.
You can immensely decrease your chances of becoming a victim by using multi-factor authentication and strong passwords whenever possible. Additionally, enable automatic software updates and educate employees on how to protect themselves against threats such as phishing and unsafe URLs.
