Download Now
Home
/
Blog

Aurora: The Dark Dawn and its Menacing Effects

March 23, 2023

Aurora Stealer a non-friendly program in your neighborhood is developed in Go-lang. The malware was developed for threat actors to steal victims' sensitive data. Since its initial release, there have been many adaptations to the malware. It started as a botnet having info-stealer capabilities but currently it is a full-time info-stealer which is being sold by the threat actor labelled Cheshire on Russian speaking dark-net forums mentioned by cybersecurity firm Sekoia.

The malware has a knack for stealing the victim's browser data including cookies, passwords, login data and many more. It has the horizon to steal data from most browsers. The stealer also targets crypto wallets to pilfer victim's data. The malware does not stop here, it can exfiltrate files and data stored in different software from the victim's machine. Once all the super-sensitive data is possessed by the stealer it delivers the data to the attacker.

Operating Model

Aurora Stealer Attack Chain
Figure1: Attack Chain of Aurora Stealer

The malware is being spread among victims in the hospitality industry through phishing emails as seen by Trendmirco. Besides phishing campaigns, the threat actors also have utilized SEO poisoning technique to deliver the malware via malicious ads of notepad++ according to SANS finding.

Upon the detonation of the malware, our observations revealed the implementation of multiple sophisticated techniques by the malware to evade detection by antivirus software. One such technique involved the incorporation of binary padding, resulting in an increase in the file size allowing the malware to circumvent the antivirus software and evade detection.

Aurora Stealer - Fake Adobe Acrobat Installer Downloaded from SEO Poisoning Campaign
Figure2:  Fake Adobe Acrobat Installer Downloaded from SEO Poisoning Campaign

After successful infiltration, the malware utilizes Windows Management Instrumentation (WMI) commands to gather pertinent system information. This behavior was consistently observed in all samples of Aurora stealer that we  analyzed. Additionally, independent research conducted by Cyble and other industry experts has reported this observation.

WMI Commands
Figure2.1 : WMI Commands getting Executed

We also captured Aurora stealer's actions that were aimed at extracting sensitive information from files and folders located in various browsers, cryptocurrency wallets, and drives, as illustrated below.

Aurora Stealer - Stealing Browser and Crypto Data
Figure3: Stealing Browser and Crypto Data

Aurora leverages PowerShell to facilitate the execution of its second stage, employing the following command:

powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\BK2c7L9Si8.exe"

During the second stage of Aurora, an entry to the "run keys" in the registry was observed, enabling the malware to automatically execute its third stage DLL via RUNDLL32.exe at each user login.

Aurora Stealer - Run Key Added for DLL Execution
Figure4: Run Key Added for DLL Execution

The third stage of the malware executes an encoded PowerShell command allowing it to delay execution for certain duration using the following command before it exfiltrates the data to the attacker.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

Once all the data and information are collected, the malware employs advanced encoding techniques to conceal the information and prepare it for shipment to the attacker over the C2 channel. The attacker can retrieve the encoded data and use it for nefarious purposes, such as identity theft or financial fraud.

Aurora Stealer - C2 Panel
Figure5: C2 Panel; source: twitter

Detection

The infernal behavior of this malware can be detected using SIGMA rules.  
To begin with, we attribute different WMI commands getting executed in sequence to detect Aurora Stealer malware.

logsource:
 category: process_creation
 product: windows
detection:
 selection:
 Image|endswith: '\wmic.exe'
 CommandLine|contains: 
 - 'wmic os get Caption'
 - 'wmic path win32_VideoController get name'
 - 'wmic cpu get name'
 condition: selection

One detection would be to capture changes in ‘run key’ registry which execute DLL using RUNDLL32.exe

logsource:
 product: windows
 category: registry_set
detection:
 selection:
 EventType: SetValue
 TargetObject|contains: '\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
 Details|re: .*rundll32.exe.C:\\\\Windows\\\\system32\\\\advpack.dll,DelNodeRunDLL32 \\"C:\\\\Users\\\\.*\\AppData\\\\Local\\\\Temp\\\\IXP[0-9]{1,3}.TMP.*
 condition: selection

Based on the general behavior followed by Aurora and different malwares, we have developed several detection methods. We also observed changes in the configuration of Windows Defender, where the path ‘C:\Program Data’ is excluded.

logsource:
 product: windows
 category: registry_set
detection:
 selection:
 EventType: SetValue
 TargetObject|contains: '\Microsoft\Windows Defender\Exclusions'
 Details: 'C:\Program Data\'
 condition: selection

Another detection would be by tracing event id `5007`, which can be activated by enabling Windows Defender operation logs. This particular event is triggered whenever there is a modification made to the configuration of Microsoft Defender Antivirus.

logsource: product: windows service: windefend detection: selection: EventID: 5007 NewValue|contains: 'C:\Program Data\' condition: selection

Additionally, one clever way to detect this malware is to monitor the execution of obfuscated PowerShell commands.

The same campaign can be detected using OSQUERY rules. Below are some rules that will help you keep your organization safe.

query_wmic:
    SELECT name,
           pid,
           cmdline,
           path,
           parent
    FROM processes
    WHERE LOWER(name) = 'wmic.exe'
    AND
    (
      cmdline LIKE '%OS Get Caption%'
      OR cmdline LIKE '%path win32_VideoController get name%'
      OR cmdline LIKE '%cpu get name%'
    );
 query_regsitry:
    SELECT key,
           path,
           name,
           type,
           data
    FROM registry
    WHERE path LIKE 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\%'
    AND data LIKE '%rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 "C:\\Users\\%\\AppData\\Local\\Temp\\IXP%.TMP\\%';
query_exclusion:
    SELECT key,
           path,
           name,
           type,
           data
    FROM registry
    WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\%'
    AND
    (
      data LIKE '%c:\programdata%'
      OR data LIKE '%\appdata\roaming\microsoft\windows\start menu\programs\startup%'

For more threat analytics reach us here.

The above rules have been vindicated by simulating Aurora stealer in a sandbox environment.

MITRE ATT&CK Techniques

Tactic Technique ID Technique Name
Execution T1204
T1059.001
T1059.003
T1047		 User Execution
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Windows Command Shell
Windows Management Instrumentation
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion T1562.001
T1027
T1218.011
T1497		 Impair Defenses
Obfuscated Files or Information  
System Binary Proxy Execution: Rundll32
Virtualization/Sandbox Evasion
Credential Access T1555.003
T1056
T1003
T1528
T1539
T1552.002		 Credentials from Password Stores: Credentials from Web Browsers 
Input Capture
OS Credential Dumping
Steal Application Access Token
Steal Web Session Cookie
Credentials in Registry
Discovery T1087
T1083
T1012
T1082
T1518.001
T1614
T1497		 Account Discovery
File and Directory Discovery
Query Registry
System Information Discovery
Software Discovery: Security Software Discovery
System Location Discovery
Virtualization/Sandbox Evasion
Collection T1119
T1005
T1056
T1113		 Automated Collection
Data from Local System
Input Capture
Screen Capture    
Command and Control T1071.001
T1105
T1095
T1571		 Application Layer Protocol: Web Protocols
Ingress Tool Transfer
Non-Application Layer Protocol
Non-Standard Port

Threat Bites

Threat Actor : Unknown
Targeted Country : Worldwide
Targeted Industry : Hotels
First Seen : April 2022
Last Seen : March 2023
LOLBAS : Wmic, Reg, Rundll32
Telemetry : Sysmon, Security, Windefend, PowerShell
Samples : https://tria.ge/230118-f1ewcaac94/behavioral1

References

Get Notified

BLOGS AND RESOURCES

Latest Articles
MCSB Deep Dive: Securing Azure with Microsoft Cloud Security Benchmark

March 26, 2026

Vulnerability Management Tools and Process: A Practitioner's Guide to Staying Ahead of Threats

March 26, 2026

Security Controls in Cybersecurity: A Complete Guide to MCSB, CIS, and NIST Frameworks

March 24, 2026

View all our articles →
By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Accept
Green Plus icon
Cybersecurity Solutions
Vulnerability IntelligenceSecurity & Threat Intelligence IntegrationsVulnerability & Configuration ManagementConnector Development IntegrationOSS - Software Composition AnalysisOSS - Dependancy DefenceOSS - Zero-Day DiscoveryThreat IntelligenceExternal Attack Surface DiscoveryCloud Security Posture ManagementCloud Workload Protection
IT Solutions
Data Science Engineering ServicesSoftware Development  & SupportQA AutomationStaff Augmentation
Platforms
LOVICytellite
Company
About usBlogsReportsCase StudiesWebinarsGlossaryCareers
Research
Research-as-a -ServiceZero-Day Discovery
1-703-956-7410info@loginsoft.com
© 2026 - Copyright
Privacy policy