# Aurora: The Dark Dawn and its Menacing Effects **[research.loginsoft.com/threat-research/aurora-the-dark-dawn-and-its-menacing-effects/](https://research.loginsoft.com/threat-research/aurora-the-dark-dawn-and-its-menacing-effects/)** **Aurora Stealer Background** March 24, 2023 By Saharsh Agrawal March 23, 2023 [Aurora Stealer a non-friendly program in your neighborhood is developed in Go-lang. The](https://go.dev/) malware was developed for threat actors to steal victims’ sensitive data. Since its initial release, there have been many adaptations to the malware. It started as a botnet having info-stealer capabilities but currently it is a full-time info-stealer which is being sold by the threat actor labelled Cheshire on Russian speaking dark-net forums mentioned by [cybersecurity firm Sekoia.](https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/) The malware has a knack for stealing the victim’s browser data including cookies, passwords, login data and many more. It has the horizon to steal data from most browsers. The stealer also targets crypto wallets to pilfer victim’s data. The malware does not stop here, it can exfiltrate files and data stored in different software from the victim’s machine. Once all the super-sensitive data is possessed by the stealer it delivers the data to the attacker. **Operating Model** _Figure1: Attack_ _Chain of Aurora Stealer_ ----- The malware is being spread among victims in the hospitality industry through phishing [emails as seen by Trendmirco. Besides phishing campaigns, the threat actors also have](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3721/fake-roadway-map-leads-to-aurora-stealer) utilized SEO poisoning technique to deliver the malware via malicious ads of notepad++ [according to SANS finding.](https://isc.sans.edu/diary/Malicious+Google+Ad+Fake+Notepad+Page+Aurora+Stealer+malware/29448) Upon the detonation of the malware, our observations revealed the implementation of multiple sophisticated techniques by the malware to evade detection by antivirus software. [One such technique involved the incorporation of binary padding, resulting in an increase in](https://attack.mitre.org/techniques/T1027/001/) the file size allowing the malware to circumvent the antivirus software and evade detection. ----- _Figure2: Fake Adobe Acrobat Installer Downloaded from SEO Poisoning Campaign_ After successful infiltration, the malware utilizes Windows Management Instrumentation (WMI) commands to gather pertinent system information. This behavior was consistently observed in all samples of Aurora stealer that we analyzed. Additionally, independent [research conducted by Cyble and other industry experts has reported this observation.](https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/) _Figure2.1 : WMI Commands getting Executed_ We also captured Aurora stealer’s actions that were aimed at extracting sensitive information from files and folders located in various browsers, cryptocurrency wallets, and drives, as illustrated below. ----- _Figure3: Stealing Browser and Crypto Data_ Aurora leverages PowerShell to facilitate the execution of its second stage, employing the following command: ``` powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\BK2c7L9Si8.exe" ``` During the second stage of Aurora, an entry to the “run keys” in the registry was observed, enabling the malware to automatically execute its third stage DLL via RUNDLL32.exe at each user login. _Figure4: Run Key Added for DLL Execution_ The third stage of the malware executes an encoded PowerShell command allowing it to delay execution for certain duration using the following command before it exfiltrates the data to the attacker. ``` C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA== ``` Once all the data and information are collected, the malware employs advanced encoding techniques to conceal the information and prepare it for shipment to the attacker over the C2 channel. The attacker can retrieve the encoded data and use it for nefarious purposes, such as identity theft or financial fraud. ----- _[Figure5: C2 Panel; source: twitter](https://twitter.com/silascutler/status/1614518491557642243)_ **Detection** The infernal behavior of this malware can be detected using SIGMA rules. To begin with, we attribute different WMI commands getting executed in sequence to detect Aurora Stealer malware. ``` logsource: category: process_creation product: windows detection: selection: Image|endswith: '\wmic.exe' CommandLine|contains: - 'wmic os get Caption' - 'wmic path win32_VideoController get name' - 'wmic cpu get name' condition: selection ``` One detection would be to capture changes in ‘run key’ registry which execute DLL using RUNDLL32.exe ----- ``` logsource: product: windows category: registry_set detection: selection: EventType: SetValue TargetObject|contains: '\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce' Details|re: .*rundll32.exe.C:\\\\Windows\\\\system32\\\\advpack.dll,DelNodeRunDLL32 \\"C:\\\\Users\\\\.*\\AppData\\\\Local\\\\Temp\\\\IXP[0-9]{1,3}.TMP.* condition: selection ``` Based on the general behavior followed by Aurora and different malwares, we have developed several detection methods. We also observed changes in the configuration of Windows Defender, where the path ‘C:\Program Data’ is excluded. ``` logsource: product: windows category: registry_set detection: selection: EventType: SetValue TargetObject|contains: '\Microsoft\Windows Defender\Exclusions' Details: 'C:\Program Data\' condition: selection ``` Another detection would be by tracing event id `5007`, which can be activated by enabling Windows Defender operation logs. This particular event is triggered whenever there is a modification made to the configuration of Microsoft Defender Antivirus. ``` logsource: product: windows service: windefend detection: selection: EventID: 5007 NewValue|contains: 'C:\Program Data\' condition: selection ``` Additionally, one clever way to detect this malware is to monitor the execution of obfuscated PowerShell commands. [The same campaign can be detected using OSQUERY rules. Below are some rules that will](https://www.loginsoft.com/blog/2020/06/25/explicating-the-concepts-of-osquery/) help you keep your organization safe. ----- ``` query_wmic: SELECT name, pid, cmdline, path, parent FROM processes WHERE LOWER(name) = 'wmic.exe' AND ( cmdline LIKE '%OS Get Caption%' OR cmdline LIKE '%path win32_VideoController get name%' OR cmdline LIKE '%cpu get name%' ); query_regsitry: SELECT key, path, name, type, data FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\%' AND data LIKE '%rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 "C:\\Users\\%\\AppData\\Local\\Temp\\IXP%.TMP\\%'; query_exclusion: SELECT key, path, name, type, data FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\%' AND ( data LIKE '%c:\programdata%' OR data LIKE '%\appdata\roaming\microsoft\windows\start menu\programs\startup%' ``` [For more threat analytics reach us here.](https://research.loginsoft.com/contact-us/) [The above rules have been vindicated by simulating Aurora stealer in a sandbox](https://tria.ge/221117-p1yg5aad8t/behavioral1) environment. **MITRE ATT&CK Techniques** |Tactic|Technique ID|Technique Name| |---|---|---| ----- |Execution|T1204 T1059.001 T1059.003 T1047|User Execution Command and Scripting Interpreter: PowerShell Command and Scripting Interpreter: Windows Command Shell Windows Management Instrumentation| |---|---|---| |Persistence|T1547.001|Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder| |Defense Evasion|T1562.001 T1027 T1218 .011 T1497|Impair Defenses Obfuscated Files or Information System Binary Proxy Execution: R undll32 Virtualization/Sandbox Evasion| |Credential Access|T1555.003 T1056 T1003 T1528 T1539 T1552 .002|Credentials from Password Stores: Credentials from Web Browsers Input Capture OS Credential Dumping Steal Application Access Token Steal Web Session Cookie Credentials in Registry| |Discovery|T1087 T1083 T1012 T1082 T1518 .001 T1614 T1497|Account Discovery File and Directory D iscovery Query Registry System Informa tion Discovery Software Discovery: Security S oftware Discovery System Location Discovery Virtualization/Sandbox Evas ion| |Collection|T1119 T1005 T1056 T1113|Automated Collection Data from Local Syste m Input Capture Screen Captu re| |Command and Control|T1071.001 T1105 T1095 T1571|Application Layer Protocol: Web Protocols Ingress Tool Transfer Non-Application Laye r Protocol Non-Standard Port| **Threat Bites** **Threat Actor** **Targeted Country** **Targeted Industry** **First Seen** **Last Seen** ----- **LOLBAS** **Telemetry** **Samples** : : : : : : : : Unknown Worldwide Hotels April 2022 March 2023 Wmic, Reg, Rundll32 Sysmon, Security, Windefend, PowerShell [https://tria.ge/230118-f1ewcaac94/behavioral1](https://tria.ge/230118-f1ewcaac94/behavioral1) **Author: Saharsh Agrawal** Security Researcher, Loginsoft -----