CavalierGPT: The First Comprehensive Infostealers AI Bot - Try Now →

Created by: sharat87

Date created: 2023-01-06

Last edited: 2023-01-24

Description: Aurora is an information stealer advertised on underground forums beginning in September 2022 (it was previously advertised in a different form, as a botnet with different functionality, beginning in July 2022. Multiple “teams” are associated with its distribution. Initial infection vectors include via a phishing site impersonating a cryptocurrency wallet platform (based on the site’s appearance) and via compromised social media channels, which advertised links to malicious sites that impersonated a fictitious “free software” platform (based on the site’s appearance & domain name).

Techniques (28)

  • Account Discovery

    ID: T1087

    Tactics: Discovery

    Description: https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Application Layer Protocol

    ID: T1071

    Tactics: Command and Control

    Description: https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Automated Collection

    ID: T1119

    Tactics: Collection

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

  • Command and Scripting Interpreter

    ID: T1059

    Tactics: Execution

    Description: https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Credentials from Web Browsers

    ID: T1555.003

    Tactics: Credential Access

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

  • Credentials in Registry

    ID: T1552.002

    Tactics: Credential Access

    Description: https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Data from Local System

    ID: T1005

    Tactics: Collection

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/, https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Deobfuscate/Decode Files or Information

    ID: T1140

    Tactics: Defense Evasion

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

  • Exfiltration Over C2 Channel

    ID: T1041

    Tactics: Exfiltration

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

  • File and Directory Discovery

    ID: T1083

    Tactics: Discovery

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/, https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Ingress Tool Transfer

    ID: T1105

    Tactics: Command and Control

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

  • Input Capture

    ID: T1056

    Tactics: Credential Access, Collection

    Description: https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Non-Application Layer Protocol

    ID: T1095

    Tactics: Command and Control

    Description: https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Non-Standard Port

    ID: T1571

    Tactics: Command and Control

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

  • Obfuscated Files or Information

    ID: T1027

    Tactics: Defense Evasion

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/, https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • OS Credential Dumping

    ID: T1003

    Tactics: Credential Access

    Description: https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Query Registry

    ID: T1012

    Tactics: Discovery

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

  • Screen Capture

    ID: T1113

    Tactics: Collection

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

  • Software Discovery

    ID: T1518

    Tactics: Discovery

    Description: https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Steal Application Access Token

    ID: T1528

    Tactics: Credential Access

    Description: https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Steal Web Session Cookie

    ID: T1539

    Tactics: Credential Access

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

  • System Information Discovery

    ID: T1082

    Tactics: Discovery

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/, https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • System Location Discovery

    ID: T1614

    Tactics: Discovery

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

  • User Execution

    ID: T1204

    Tactics: Execution

    Description: https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Virtualization/Sandbox Evasion

    ID: T1497

    Tactics: Defense Evasion, Discovery

    Description: https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

  • Web Protocols

    ID: T1071.001

    Tactics: Command and Control

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

  • Windows Command Shell

    ID: T1059.003

    Tactics: Execution

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

  • Windows Management Instrumentation

    ID: T1047

    Tactics: Execution

    Description: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/, https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

infostealers-logo

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise