A new sophisticated infostealer named AuraStealer is posing a significant threat to Windows users, actively stealing data from over 110 browsers and 70 applications. This malware-as-a-service, developed in C++, operates through a subscription model and has been observed spreading via “Scam-Yourself” campaigns on platforms like TikTok, preying on users seeking free software activations.
The danger of AuraStealer lies in its comprehensive data theft capabilities and advanced evasion techniques. Researchers have detailed its methods for avoiding detection by security software, making it a challenging adversary for cybersecurity professionals. The malware’s reach extends across Windows 7 to Windows 11, highlighting its broad impact.
AuraStealer: A Sophisticated Infostealer Targeting Extensive Data
AuraStealer, a malware-as-a-service, has emerged as a potent threat targeting Windows systems across versions 7 through 11. Developed in C++, this infostealer boasts a build size of 500-700 KB and is designed to exfiltrate data from a vast array of sources. Its customizable configuration system allows it to target information from over 110 different browsers, 70 applications including cryptocurrency wallets and two-factor authentication tools, and more than 250 browser extensions.
The distribution of AuraStealer primarily occurs through deceptive “Scam-Yourself” campaigns, often found on social media platforms like TikTok. These campaigns typically feature tutorial videos that promote free activation or full versions of paid software, luring unsuspecting users into downloading malicious files. Beyond these social media tactics, the malware also spreads through cracked games, malicious software downloads, and employs multi-stage execution flows that utilize custom loaders and DLL sideloading techniques to achieve persistence and evade initial detection.
Operating on a tiered subscription model, AuraStealer is accessible to cybercriminals with monthly fees ranging from $295 to $585. This service includes a dedicated web panel for managing the stolen data, providing a streamlined operation for threat actors. Initially developed with Russian language support, the malware has been updated to include English, suggesting its developers are part of Russian-speaking cybercriminal communities.
Advanced Evasion Tactics of AuraStealer
Despite its sophisticated design, AuraStealer exhibits several vulnerabilities that can be exploited for detection. Researchers from Gendigital have identified that the malware employs advanced evasion tactics to circumvent security measures and avoid analysis. Before execution, AuraStealer performs extensive system checks, including geolocation verification to ensure it does not run in the Commonwealth of Independent States (CIS) countries and Baltic states.
The malware also meticulously examines system characteristics, such as memory capacity and processor count, to detect virtualized environments. To proceed with its malicious operations, AuraStealer requires a minimum of four processors or over 200 running processes, aiming to bypass sandboxes that typically have limited resources. Furthermore, it presents a dialog box that demands a randomly generated code when running without additional protective layers. This specific mechanism effectively halts automated sandbox analysis and necessitates that distributors package the malware with further obfuscation to bypass this hurdle.
Indirect Control Flow Obfuscation and String Encryption
AuraStealer implements indirect control flow obfuscation by replacing direct jumps and calls with indirect ones. The target addresses for these operations are computed dynamically at runtime. This technique significantly hinders static analysis tools, such as IDA Pro, by presenting disassemblers with fragmented and seemingly unrelated basic blocks of code. The obfuscation mechanism varies, employing patterns from simple arithmetic sums to complex conditional instructions that rely on the return values of preceding function calls to determine target addresses.
To conceal its functionalities, AuraStealer utilizes exception-driven API hashing. This involves a custom exception handler that deliberately triggers access violations. By intercepting these violations, the malware can dispatch appropriate function addresses from precomputed lookup tables. This method is a sophisticated way to dynamically resolve and execute system functions without hardcoding direct API calls, making static analysis more challenging.
String obfuscation within AuraStealer employs stack-based XOR encryption. Encrypted strings and their corresponding XOR keys are concatenated in memory from constant values before decryption. Additionally, the malware incorporates anti-tampering checks using the MapFileAndCheckSumw function. This function verifies file checksums against values stored in the Portable Executable (PE) header, and the malware terminates its execution if any modifications are detected. AuraStealer also installs custom exception handlers during its initialization routines before reaching the WinMain function, which can lead to these mechanisms being overlooked during initial analysis.
The targeted data compromised by AuraStealer includes sensitive information from Chromium and Gecko-based browsers, cryptocurrency wallets, active session tokens from platforms like Discord, Telegram, and Steam, and two-factor authentication tokens. It also aims for password manager databases, including those for KeePass and Bitwarden, VPN configurations, clipboard contents, and screenshots. The malware’s modular design further allows for custom configuration modules that can perform wildcard-based file searches, expanding its data exfiltration capabilities.
The ongoing sophistication of AuraStealer highlights the persistent threat of infostealers in the cyber landscape. As developers continue to refine evasion techniques and expand their data-targeting capabilities, cybersecurity professionals must remain vigilant in developing and deploying robust detection and defense mechanisms. The constant evolution of such malware necessitates continuous research and adaptation by security vendors.