(416) 825-2120
info@veiliant.com
Free IT Assessment
  • About
  • Services
    • Fully Managed IT
    • Cloud Services
    • Software Development
    • Business Continuity
    • Cyber Security
    • Professional IT Consulting
  • Our Team
  • Blog
  • Contact
Remote Support

Fake In-browser Windows Updates Push Aurora Info-stealer Malware

Posted on 10 May at 7:31 am

A recently spotted malvertising campaign tricked users with an in-browser Windows update simulation to deliver the Aurora information stealing malware.

Written in Golang, Aurora has been available on various hacker forums for more than a year, advertised as an info stealer with extensive capabilities and low antivirus detection.

According to researchers at Malwarebytes, the malvertising operation relies on popunder ads on adult content websites with high-traffic adult content and redirects potential victims to a malware-serving location.

Not a Windows update

Popunder ads are cheap ‘pop-up’ ads that launch behind the active browser window, staying hidden from the user until they close or move the main browser window.

In December last year, Google reported that popunders were used in an ad fraud campaign that amassed hundreds of thousands of visitors and tens of millions of fraudulent ad impressions.

The more recent one spotted by Malwarebytes has a much lower impact, with close to 30,000 users redirected and almost 600 downloaded and installed the data-stealing malware on their systems.

However, the threat actor came up with an imaginative idea where the popunder renders a full-screen browser window that simulates a Windows system update screen.

Fake Windows update
Fake Windows update (Malwarebytes)

The researchers tracked more than a dozen domains used in the campaigns, many of them appearing to impersonate adult websites, that simulated the fake Windows update:

  • activessd[.]ru
  • chistauyavoda[.]ru
  • xxxxxxxxxxxxxxx[.]ru
  • activehdd[.]ru
  • oled8kultra[.]ru
  • xhamster-18[.]ru
  • oled8kultra[.]site
  • activessd6[.]ru
  • activedebian[.]ru
  • shluhapizdec[.]ru
  • 04042023[.]ru
  • clickaineasdfer[.]ru
  • moskovpizda[.]ru
  • pochelvpizdy[.]ru
  • evatds[.]ru
  • click7adilla[.]ru
  • grhfgetraeg6yrt[.]site

All of them served for download a file named “ChromeUpdate.exe,” revealing the deception of the full-screen browser screen; however, some users were still tricked into deploying the malicious executable.

Downloaded file
Downloaded file (Malwarebytes)

New malware loader

The alleged Chrome updater is a so called “fully undetectable” (FUD) malware loader called ‘Invalid Printer’ that seems to be used exclusively by this particular threat actor.

Malwarebytes says that when its analysts discovered ‘Invalid Printer,’ no antivirus engines on Virus Total flagged it as malicious. Detection started to pick up a few weeks later, though, following the publication of a relevant report from Morphisec.

Malware loader code snippet
Malware loader code snippet (Malwarebytes)

Invalid Printer first checks the host’s graphic card to determine if it’s running on a virtual machine or in a sandbox environment. If it’s not, it unpacks and launches a copy of the Aurora information stealer, the researchers found.

Payload carried by 'Invalid Printer'
Payload carried by ‘Invalid Printer’ (Malwarebytes)

Malwarebytes comments that the threat actor behind this campaign appears to be particularly interested in creating hard-to-detect tools, and they are constantly uploading new samples on Virus Total to check how they fare against detection engines.

Jérôme Segura, director of threat intelligence at Malwarebytes, noticed that every time a new sample was first submitted to Virus Total it came from a user in Turkey and that “in many instances the file name looked like it had come fresh from the compiler (i.e. build1_enc_s.exe).”

VirusTotal uploads from the threat actor
VirusTotal uploads from the threat actor (Malwarebytes)

Further investigation revealed that the threat actor also uses an Amadey panel, potentially indicating the use of the well-documented reconnaissance and malware loading tool, and also runs tech support scams targeting Ukrainians.

Malwarebytes provides a technical analysis of the malware installation and behavior along with a set of indicators of compromise that companies and security vendors can use to defend their users.

Previous Post
Windows 10 KB5026361 and KB5026362 Updates Released
Next Post
Microsoft Patches Bypass for Recently Fixed Outlook Zero-click Bug

Recent Posts

  • Microsoft 365 Phishing Attacks Use Encrypted RPMSG Messages May 31, 2023
  • Canadian Nurses Association Hit by Cyber Attack May 31, 2023
  • QBot Malware Abuses Windows WordPad EXE to Infect Devices May 27, 2023
  • Hackers Target Vulnerable WordPress Elementor Plugin After PoC Released May 27, 2023
  • Mozilla Stops Firefox Fullscreen VPN Ads After User Outrage May 26, 2023

Categories

  • Cybersecurity (165)
  • Machine Learning (1)
  • News (98)
  • Robotic Process Automation (4)

Partners and Affiliates

Manufacturers matter. We partner with industry leaders that focus on business technology solutions. Let us help you find the right fit for your organization. Our partners offer great support, education, and benefits that we pass down to our clients.

 

About Us

Veiliant Inc. is a Managed Service Provider that offers many flexible services. We strive to meet the growing demand for computer support services needed for business success.

Veiliant has a proactive approach to help create innovative solutions devised  with your business goals in mind.

Our Services

  • Fully Managed IT
  • Cloud Services
  • Software Development
  • Business Continuity
  • Professional IT Consulting
  • Cyber Security

Related Links

  • FAQ
  • Privacy Policy

Contact Information

5155 Spectrum Way, Unit 1, Mississauga, ON, L4W 5A1
(416) 825-2120

Customer Support

  • Remote Support
  • Free IT Assessment

© 2023 Veiliant Inc. All rights reserved.