Recently, Cyble Research and Intelligence Labs (CRIL) discovered Aurora Stealer malware imitating popular applications on phishing sites to infect as many users as possible.
To target a variety of well-known applications, the threat actors behind this attack are actively changing and customizing their phishing websites.
Cyble researchers analyze Aurora, an information stealer using phishing pages based on popular applications to infect users. Aurora targets data from web browsers, crypto wallets, browser extensions, telegram & specific user directories.
Aurora – A Stealer Using Shapeshifting Tactics
On January 16th, 2023, Cyble Research and Intelligence Labs (CRIL) discovered a phishing website called “hxxps[:]/messenger-download[.]top” that was pretending to be a website for a chat application.
The following day, January 17th, 2023, it was discovered that the same phishing site was impersonating the official TeamViewer website.
Messenger phishing page downloading Aurora stealer as teamviewer.exe
When a user clicks the “Download” button on a phishing website, malicious files with the names “messenger.exe” and “teamviewer.exe” is downloaded from the associated URLs.
“The “messenger.exe” and “teamviewer.exe” files that have been downloaded are actually malicious Aurora Stealer samples, which have been padded with extra zeroes at the end to increase their size to around 260MB”, CRIL researchers.
Here, threat actors employ this technique to avoid antivirus software detection because processing larger files can be challenging for AV.
Researchers mention that the malware file uses Windows Management Instrumentation (WMI) commands to gather system information, including the operating system’s name, the graphics card’s name, and the processor’s name.