Skip to main content

YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader.

Aurora Stealer Malware

Cybersecurity researchers have detailed the inner workings of a highly evasive loader named "in2al5d p3in4er" (read: invalid printer) that's used to deliver the Aurora information stealer malware.

"The in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) technique," cybersecurity firm Morphisec said in a report shared with The Hacker News.

Aurora is a Go-based information stealer that emerged on the threat landscape in late 2022. Offered as a commodity malware to other actors, it's distributed through YouTube videos and SEO-poised fake cracked software download websites.

Clicking the links present in YouTube video descriptions redirects the victim to decoy websites where they are enticed into downloading the malware under the garb of a seemingly-legitimate utility.


The loader analyzed by Morphisec is designed to query the vendor ID of the graphics card installed on a system, and compared it against a set of allowlisted vendor IDs (AMD, Intel, or NVIDIA). If the value doesn't match, the loader terminates itself.

The loader ultimately decrypts the final payload and injects it into a legitimate process called "sihost.exe" using a technique called process hollowing. Alternatively, some loader samples also allocate memory to write the decrypted payload and invoke it from there.

"During the injection process, all loader samples resolve the necessary Win APIs dynamically and decrypt these names using a XOR key: 'in2al5d p3in4er,'" security researchers Arnold Osipov and Michael Dereviashkin said.


Another crucial aspect of the loader is its use of Embarcadero RAD Studio to generate executables for multiple platforms, thereby enabling it to evade detection.

"Those with the lowest detection rate on VirusTotal are compiled using 'BCC64.exe,' a new Clang based C++ compiler from Embarcadero," the Israeli cybersecurity company said, pointing out its ability to evade sandboxes and virtual machines.

"This compiler uses a different code base such as 'Standard Library' (Dinkumware) and 'Runtime Library' (compiler-rt) and generates optimized code which changes the entry point and execution flow. This breaks security vendors' indicators, such as signatures composed from 'malicious/suspicious code block.'"

UPCOMING WEBINAR
Defend with Deception: Advancing Zero Trust Security

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

In a nutshell, the findings show that the threat actors behind in2al5d p3in4er are leveraging social engineering methods for a high-impact campaign that employs YouTube as a malware distribution channel and directs viewers to convincing-looking fake websites to distribute the stealer malware.

The development comes as Intel 471 unearthed another malware loader AresLoader that's marketed for $300/month as a service for criminal actors to push information stealers disguised as popular software using a binder tool. The loader is suspected to be developed by a group with ties to Russian hacktivism.

Some of the prominent malware families spread using AresLoader since January 2023 include Aurora Stealer, Laplas ClipperLumma StealerStealc, and SystemBC.

Source: THN 

Comments

Popular posts from this blog

Escaped Murder Suspect Finally Arrested in Yumbe Regional Referral Hospital, Yumbe District.

Story by Osuta Yusuf. 19-November-2024. 📸: Eyotre Kennedy handcuffed on bed while receiving medication this morning at Yumbe Regional Referral Hospital in Yumbe District. Eyotre Kennedy originating from Etoko village, Nyoroo Parish, Nyadri Sub-county in Maracha District who has for many years been terrorizing residents in his village, has finally been arrested this Monday morning 19-November-2024 while receiving treatment at Yumbe Regional Referral Hospital in Yumbe District following injuries he sustained from Theft mission on Saturday night 16-November-2024 in Owapi village, Azapi parish in Odupi Sub-county, Terego East Constituency in Terego District. Click here on the link  https://informationispowah.blogspot.com/2024/11/fugitive-who-chopped-3-people-killed.html   to read the story on his Theft of Goats in Terego. Upon getting cut on the finger and leg by the Mob as he attempted to fight and overpower owner of the goats he attempted to steal on Saturday night ...

41-Years-Old Man Digs His Own Grave in Maracha District.

Story by Osuta Yusuf.  Maracha District.  📸: The grave been dug by Mr Opiga Michael, a victim of frustration. Photo taken by Osuta Yusuf , on Wednesday 11-September-2024. The residents of Ebapi village, Baria Parish in Nyadri Sub-county, Maracha east constituency, Maracha District are in shock after a 41 year old man started digging his own grave. The man, identified as Mr Opiga Michael, who seems to be frustrated over some challenges in life, started digging his own grave on Tuesday 10-September-2024 until he was stopped by the elders in Nyaria clan. 📸: Opiga Michael, the Victim of Frustration. Photo by Osuta Yusuf , Information is Power. While speaking to our reporter on Wednesday evening 11-September-2024, Mr Opiga Michael, said, his main plan  was to commit suicide after finishing digging the grave for burying himself, explained that, he feels frustrated, abandoned and hated by his own clan people, whom he accused of piling lies against him a...

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nil...