YouTube Videos Distributing Aurora Stealer Malware Via Highly Evasive Loader

YouTube Videos Distributing Aurora Stealer Malware Via Highly Evasive Loader

YouTube Videos Distributing Aurora Stealer Malware Via Highly Evasive Loader

Cybersecurity researchers have detailed the inner workings of a highly evasive loader named “in2al5d p3in4er” (read: invalid printer) that’s used to deliver the Aurora information stealer malware.

“The in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) technique,” cybersecurity firm Morphisec said in a report shared with The Hacker News.

Aurora is a Go-based information stealer that emerged on the threat landscape in late 2022. Offered as a commodity malware to other actors, it’s distributed through YouTube videos and SEO-poised fake cracked software download websites.

When victims click on links in YouTube video descriptions, they are taken to fake websites where they are tricked into downloading malware disguised as a useful app.

ALSO, READ Researchers Expose Over 80 ShadowPad Malware C2 Servers

YouTube Videos Distributing Aurora Stealer Malware Via Highly Evasive Loader

Morphisec found that the graphics card vendor ID was queried by the loader and compared to a list of approved vendors (AMD, Intel, and NVIDIA). If the value is incorrect, the loader will exit.

After decrypting the payload, the loader injects it into a legitimate process called “sihost.exe” via a technique called process hollowing. Some examples of loaders allot memory to store the decrypted payload, then call it when needed.

“During the injection process, all loader samples resolve the necessary Win APIs dynamically and decrypt these names using a XOR key: ‘in2al5d p3in4er,'” security researchers Arnold Osipov and Michael Dereviashkin said.

Another crucial aspect of the loader is its use of Embarcadero RAD Studio to generate executables for multiple platforms, thereby enabling it to evade detection.

YouTube Videos Distributing Aurora Stealer Malware Via Highly Evasive Loader

“Those with the lowest detection rate on VirusTotal are compiled using ‘BCC64.exe,’ a new Clang based C++ compiler from Embarcadero,” the Israeli cybersecurity company said, pointing out its ability to evade sandboxes and virtual machines.

ALSO, READ Researchers Uncover Stealthy Techniques Used By Cranefly Espionage Hackers

“This compiler uses a different code base such as ‘Standard Library’ (Dinkumware) and ‘Runtime Library’ (compiler-rt) and generates optimized code which changes the entry point and execution flow. This breaks security vendors’ indicators, such as signatures composed from ‘malicious/suspicious code block.'”

The research summarizes that the threat actors behind in2al5d p3in4er are using social engineering techniques in a high-impact effort to spread the malware via YouTube and trick users into visiting malicious but plausible-looking fake websites.

Intel 471 recently discovered another malware loader called AresLoader, which is advertised as a service for criminal actors to push information stealers disguised as popular applications using a binder tool. The service costs $300 per month. It is believed that a gang with ties to Russian hacktivism created the loader.

Some of the prominent malware families spread using AresLoader since January 2023 include Aurora Stealer, Laplas Clipper, Lumma Stealer, Stealc, and SystemBC.