Security News > 2022 > November > Aurora infostealer malware increasingly adopted by cybergangs
Cybercriminals are increasingly turning to a new Go-based information stealer named 'Aurora' to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads.
According to cybersecurity firm SEKOIA, at least seven notable cybergangs with significant activity have adopted Aurora exclusively, or along with Redline and Raccoon, two other established information-stealing malware families.
In late August 2022, SEKOIA noticed that Aurora was advertised as a stealer, so the project abandoned its goal of creating a multi-function tool.
Upon execution, Aurora runs several commands through WMIC to collect basic host information, snaps a desktop image, and sends everything to the C2. Next, the malware targets data stored in multiple browsers, cryptocurrency browser extensions, cryptocurrency wallet desktop apps, and Telegram.
The analysts observed Aurora's malware loader that uses "Net http Get" to drop a new payload onto the filesystem using a random name and then use PowerShell to execute it.
For a complete list of the IoCs and sites used for Aurora distribution, check SEKOIA's GitHub repository.