Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    What's Hot

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Home»Cyber Security»YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader
    Cyber Security

    YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader

    justmattgBy justmattgApril 18, 2023No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    [ad_1]

    Apr 18, 2023Ravie LakshmananThreat Intelligence / Cyber Risk

    Aurora Stealer Malware

    Cybersecurity researchers have detailed the inner workings of a highly evasive loader named “in2al5d p3in4er” (read: invalid printer) that’s used to deliver the Aurora information stealer malware.

    “The in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) technique,” cybersecurity firm Morphisec said in a report shared with The Hacker News.

    Aurora is a Go-based information stealer that emerged on the threat landscape in late 2022. Offered as a commodity malware to other actors, it’s distributed through YouTube videos and SEO-poised fake cracked software download websites.

    Clicking the links present in YouTube video descriptions redirects the victim to decoy websites where they are enticed into downloading the malware under the garb of a seemingly-legitimate utility.

    The loader analyzed by Morphisec is designed to query the vendor ID of the graphics card installed on a system, and compared it against a set of allowlisted vendor IDs (AMD, Intel, or NVIDIA). If the value doesn’t match, the loader terminates itself.

    The loader ultimately decrypts the final payload and injects it into a legitimate process called “sihost.exe” using a technique called process hollowing. Alternatively, some loader samples also allocate memory to write the decrypted payload and invoke it from there.

    “During the injection process, all loader samples resolve the necessary Win APIs dynamically and decrypt these names using a XOR key: ‘in2al5d p3in4er,'” security researchers Arnold Osipov and Michael Dereviashkin said.

    Aurora Stealer Malware

    Another crucial aspect of the loader is its use of Embarcadero RAD Studio to generate executables for multiple platforms, thereby enabling it to evade detection.

    “Those with the lowest detection rate on VirusTotal are compiled using ‘BCC64.exe,’ a new Clang based C++ compiler from Embarcadero,” the Israeli cybersecurity company said, pointing out its ability to evade sandboxes and virtual machines.

    “This compiler uses a different code base such as ‘Standard Library’ (Dinkumware) and ‘Runtime Library’ (compiler-rt) and generates optimized code which changes the entry point and execution flow. This breaks security vendors’ indicators, such as signatures composed from ‘malicious/suspicious code block.'”

    UPCOMING WEBINAR

    Master the Art of Dark Web Intelligence Gathering

    Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

    Save My Seat!

    In a nutshell, the findings show that the threat actors behind in2al5d p3in4er are leveraging social engineering methods for a high-impact campaign that employs YouTube as a malware distribution channel and directs viewers to convincing-looking fake websites to distribute the stealer malware.

    The development comes as Intel 471 unearthed another malware loader AresLoader that’s marketed for $300/month as a service for criminal actors to push information stealers disguised as popular software using a binder tool. The loader is suspected to be developed by a group with ties to Russian hacktivism.

    Some of the prominent malware families spread using AresLoader since January 2023 include Aurora Stealer, Laplas Clipper, Lumma Stealer, Stealc, and SystemBC.

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleEntrust, IDEX, and Precise Biometrics Make Moves: Identity News Digest
    Next Article Uncovering (and Understanding) the Hidden Risks of SaaS Apps
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Demo
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    [mc4wp_form id=3515]
    Demo
    Top Posts

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Latest Reviews
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    justmattgApril 16, 2024

    [ad_1] Apr 16, 2024NewsroomSupply Chain / Software Security Security researchers have uncovered a “credible” takeover…

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Demo
    MOST POPULAR

    Name That Toon: Last Line of Defense

    April 16, 2024

    California mountain lion P-22 left mark on wildlife conservation

    January 1, 2023

    Congress Again Writes To Home Minister Amit Shah Over Rahul Gandhi’s Security

    January 1, 2023
    OUR PICKS

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑