Fake in-browser Windows updates push Aurora info-stealer malware

A recently spotted malvertising campaign tricked users with an in-browser Windows update simulation to deliver the Aurora information-stealing malware.

Written in Golang, Aurora has been available on various hacker forums for over a year, advertised as an info stealer with extensive capabilities and low antivirus detection.

The malvertising operation relies on popunder ads on adult content websites with high-traffic adult content and redirects potential victims to a malware-serving location.

Not a Windows update

Popunder ads are cheap ‘pop-up’ ads that launch behind the active browser window, staying hidden from the user until they close or move the main browser window.

In December last year, Google reported that popunders were used in an ad fraud campaign that amassed hundreds of thousands of visitors and millions of fraudulent ad impressions.

The more recent one has a much lower impact, with nearly 30,000 users redirected and almost 600 downloaded and installed the data-stealing malware on their systems.

However, the threat actor devised an imaginative idea where the popunder renders a full-screen browser window that simulates a Windows system update screen.

The researchers tracked more than a dozen domains used in the campaigns, many of them appearing to impersonate adult websites, that simulated the fake Windows update:

  • activessd[.]ru
  • chistauyavoda[.]ru
  • xxxxxxxxxxxxxxx[.]ru
  • activehdd[.]ru
  • oled8kultra[.]ru
  • xhamster-18[.]ru
  • oled8kultra[.]site
  • activessd6[.]ru
  • activedebian[.]ru
  • shluhapizdec[.]ru
  • 04042023[.]ru
  • clickaineasdfer[.]ru
  • moskovpizda[.]ru
  • pochelvpizdy[.]ru
  • evatds[.]ru
  • click7adilla[.]ru
  • grhfgetraeg6yrt[.]site

All of them served to download a file named “ChromeUpdate.exe,” revealing the deception of the full-screen browser screen; however, some users were still tricked into deploying the malicious executable.

Downloaded fileDownloaded file (Malwarebytes)

New malware loader

The alleged Chrome updater is a so-called “fully undetectable” (FUD) malware loader called ‘Invalid Printer’ that seems to be used exclusively by this particular threat actor.

In regards to the malware loader ‘Invalid Printer,’ no antivirus engines on Virus Total flagged it as malicious. Detection started to pick up a few weeks later, following the publication of a relevant report from Morphisec.

Malware loader code snippetMalware loader code snippet (Malwarebytes)

Invalid Printer first checks the host’s graphic card to determine if it’s running on a virtual machine or in a sandbox environment. If it’s not, it unpacks and launches a copy of the Aurora information stealer.

Payload carried by 'Invalid Printer'Payload carried by ‘Invalid Printer’ (Malwarebytes)

The threat actor behind this campaign appears to be particularly interested in creating hard-to-detect tools. They constantly upload new samples on Virus Total to check how they fare against detection engines.

It was noticed that every time a new sample was first submitted to Virus Total it came from a user in Turkey and that “in many instances, the file name looked like it had come fresh from the compiler (i.e. build1_enc_s.exe).”

VirusTotal uploads from the threat actorVirusTotal uploads from the threat actor (Malwarebytes)

Further investigation revealed that the threat actor also uses an Amadey panel, potentially indicating the use of the well-documented reconnaissance and malware loading tool, and runs Tech support scams.

Indicators of Compromise

Malvertising gate

qqtube[.]ru
194.58.112[.]173

Fake system update page

activessd[.]ru
chistauyavoda[.]ru
xxxxxxxxxxxxxxx[.]ru
activehdd[.]ru
oled8kultra[.]ru
xhamster-18[.]ru
oled8kultra[.]site
activessd6[.]ru
activedebian[.]ru
shluhapizdec[.]ru
04042023[.]ru
clickaineasdfer[.]ru
moskovpizda[.]ru
pochelvpizdy[.]ru
evatds[.]ru
click7adilla[.]ru
grhfgetraeg6yrt[.]site
92.53.96[.]119

Invalid Printer samples

d29f4ffcc9e2164800dcf5605668bdd4298bcd6e75b58bed9c42196b4225d590
5a07e02aec263f0c3e3a958f2b3c3d65a55240e5da30bbe77c60dba49d953b2c
193cec31ea298103fe55164ff6270a2adf70248b3a4d05127414d6981f72cef4
dac1bd40799564288bf55874543196c4ef6265d89e3228864be4d475258b9062
40b8acc3560ac0e1825755b3b05ef01c46bdbd184f35a15d0dc84ab44fa99061
31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434
398faa3aab8cce7a12e3e3f698bc29514c5b10a4369cc386421913e31f95cfdc
93b9199ca9e1ee0afbe7cf6acccedd39f37f2dd603a3b1ea05084ab29ff79df7
4c80bd604ae430864c507d723c6a8c66f4f5e9ba246983c833870d05219bd3e5

Aurora Stealer C2

103.195.103[.]54:443
94.142.138[.]218:4561

Amadey Stealer panel

193.233.20[.]29/games/category/Login.php

Source: BleepingComputer, Malwarebytes