Fake In-Browser Windows Updates Push Aurora Info-Stealer Malware

Cyber Security Threat Summary:
A malvertising campaign was recently detected using an in-browser Windows update simulation to deceive users and distribute the Aurora information-stealing malware. Aurora which is coded in Golang, has been advertised on hacker forums for over a year as a highly capable info stealer with low anti-virus detection rates. The campaign, as reported by Malwarebytes researchers, relies on popunder ads on adult content websites with high traffic to redirect unsuspecting users to a location where they are served malware.

“Popunder ads are cheap ‘pop-up’ ads that launch behind the active browser window, staying hidden from the user until they close or move the main browser window. In December last year, Google reported that popunders were used in an ad fraud campaign that amassed hundreds of thousands of visitors and tens of millions of fraudulent ad impressions. The more recent one spotted by Malwarebytes has a much lower impact, with close to 30,000 users redirected and almost 600 downloaded and installed the data-stealing malware on their systems. However, the threat actor came up with an imaginative idea where the popunder renders a full-screen browser window that simulates a Windows system update screen. The researchers tracked more than a dozen domains used in the campaigns, many of them appearing to impersonate adult websites, that simulated the fake Windows update:

  • activessd[.]ru
  • chistauyavoda[.]ru
  • xxxxxxxxxxxxxxx[.]ru
  • activehdd[.]ru
  • oled8kultra[.]ru
  • xhamster-18[.]ru
  • oled8kultra[.]site
  • activessd6[.]ru
  • activedebian[.]ru
  • shluhapizdec[.]ru
  • 04042023[.]ru
  • clickaineasdfer[.]ru
  • moskovpizda[.]ru
  • pochelvpizdy[.]ru
  • evatds[.]ru
  • click7adilla[.]ru
  • grhfgetraeg6yrt[.]site

    All of them served for download a file named "ChromeUpdate.exe," revealing the deception of the full-screen browser screen; however, some users were still tricked into deploying the malicious executable” (Bleeping Computer, 2023) The purported Chrome updater is actually a malware loader referred to as 'Invalid Printer' which is claimed to be completely undetectable and appears to be utilized exclusively by the threat actor responsible for this incident.

    Security Officer Comments:
    According to Malwarebytes, their analysts were the first to uncover Invalid Printer, but at that time no antivirus software on Virus Total has marked it as malicious. However, after Morphisec published a pertinent report, detection began to increase several weeks later. The researchers discovered that Invalid Printer initially inspects the graphics card of the host system to ascertain whether it is operating within a virtual machine or sandbox environment. If it's not, the malware proceeds to extract and activate a copy of the Aurora information-stealing program. Furthermore, the threat actor responsible for this campaign has an interest in developing tools that are difficult to detect and is frequently uploading fresh samples onto virus total to test their ability to evade detection engines. Additional, research revealed that the threat actor employs an Amadey panel, which suggests the use of widely known reconnaissance and malware loading tools, and also engages in tech support scams aimed at Ukrainian targets.

    Suggested Correction(s):
    Malwarebytes provides a technical analysis of the malware installation and behavior along with a set of indicators of compromise that companies and security vendors can use to defend their users.

    Source: https://www.bleepingcomputer.com/ https://www.malwarebytes.com/blog/

    Contact Us for Threat Assistance Back to Current Threats

    • Just Starting?



    Contact LACyber for More Info



    Current Active Cyber Threats