YouTube Movies Distributing Aurora Stealer Malware by way of Extremely Evasive Loader

Apr 18, 2023Ravie LakshmananRisk Intelligence / Cyber Threat

Cybersecurity researchers have detailed the interior workings of a extremely evasive loader named “in2al5d p3in4er” (learn: invalid printer) that is used to ship the Aurora data stealer malware.

“The in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations utilizing superior anti-VM (digital machine) method,” cybersecurity agency Morphisec said in a report shared with The Hacker Information.

Aurora is a Go-based data stealer that emerged on the risk panorama in late 2022. Supplied as a commodity malware to different actors, it is distributed by way of YouTube videos and Search engine optimization-poised pretend cracked software program obtain web sites.

Clicking the hyperlinks current in YouTube video descriptions redirects the sufferer to decoy web sites the place they’re enticed into downloading the malware underneath the garb of a seemingly-legitimate utility.

The loader analyzed by Morphisec is designed to question the seller ID of the graphics card put in on a system, and in contrast it in opposition to a set of allowlisted vendor IDs (AMD, Intel, or NVIDIA). If the worth does not match, the loader terminates itself.

The loader in the end decrypts the ultimate payload and injects it right into a legit course of referred to as “sihost.exe” utilizing a way referred to as process hollowing. Alternatively, some loader samples additionally allocate reminiscence to jot down the decrypted payload and invoke it from there.

“Through the injection course of, all loader samples resolve the mandatory Win APIs dynamically and decrypt these names utilizing a XOR key: ‘in2al5d p3in4er,'” safety researchers Arnold Osipov and Michael Dereviashkin stated.

One other essential facet of the loader is its use of Embarcadero RAD Studio to generate executables for a number of platforms, thereby enabling it to evade detection.

“These with the bottom detection charge on VirusTotal are compiled utilizing ‘BCC64.exe,’ a brand new Clang based mostly C++ compiler from Embarcadero,” the Israeli cybersecurity firm stated, mentioning its capacity to evade sandboxes and digital machines.

“This compiler makes use of a unique code base corresponding to ‘Normal Library’ (Dinkumware) and ‘Runtime Library’ (compiler-rt) and generates optimized code which modifications the entry level and execution stream. This breaks safety distributors’ indicators, corresponding to signatures composed from ‘malicious/suspicious code block.'”

In a nutshell, the findings present that the risk actors behind in2al5d p3in4er are leveraging social engineering strategies for a high-impact marketing campaign that employs YouTube as a malware distribution channel and directs viewers to convincing-looking pretend web sites to distribute the stealer malware.

The event comes as Intel 471 unearthed one other malware loader AresLoader that is marketed for $300/month as a service for prison actors to push data stealers disguised as well-liked software program utilizing a binder instrument. The loader is suspected to be developed by a bunch with ties to Russian hacktivism.

A number of the outstanding malware households unfold utilizing AresLoader since January 2023 embody Aurora Stealer, Laplas Clipper, Lumma Stealer, Stealc, and SystemBC.