Aurora Infostealer Sold on Darknet and Telegram

Description

FortiGuard Labs is aware of a report that a new infostealer named "Aurora" is being offered for sale on the darkweb and Telegram. The infostealer was allegedly developed by a threat actor who previously developed the Aurora botnet. Aurora infostealer is capable of stealing data from compromised machines as well as downloading and executing remote files.


Why is this Significant?

This is significant because Aurora is a new Malware-as-a-Service (MaaS) infostealer reportedly advertised in darknet and telegram sites. Aurora not only steals information from compromised machines but also deploys additional malware. According to outside reports, several active threat actors are using Aurora infostealer.


What is Aurora Infostealer?

Aurora is a Go-based infostealer that targets web browsers, cryptocurrency related browser extensions, cryptocurrency wallets in compromised machines for data exfiltration. Aurora is also capable of downloading and executing remote files, which can be used for deployment of additional malware.

The reported infection vector is luring users to install fake software promoted in bogus cryptocurrency and free software web sites.


What is the Status of Protection?

FortiGuard Labs provide the following AV signatures against known Aurora infostealer samples:

  • W32/Agent.IE!tr
  • W32/PossibleThreat


Reported network IOCs associated with Aurora infostealer are blocked by the Webfiltering client.