A cybersecurity researcher said, “in2al5d p3in4er” (read: disabled printer) Used to deliver the Aurora information stealer malware.
“The in2al5d p3in4er loader Embarcadero RAD Studio It uses advanced anti-VM (virtual machine) techniques to target endpoint workstations,” said cybersecurity firm Morphisec. Said In a report shared with The Hacker News.
Aurora is a Go-based information-stealing program that has emerged in the threat landscape in late 2022. It is offered as commodity malware to other actors and distributed through YouTube videos and fake crack software download websites for SEO.
By clicking on the link in the YouTube video description, the victim is redirected to a decoy website and tricked into downloading malware disguised as a seemingly legitimate utility.
The loader analyzed by Morphisec is designed to query the vendor IDs of the graphics cards installed on the system and compare them against a set of allowlisted vendor IDs (AMD, Intel, or NVIDIA). I’m here. If the values do not match, the loader exits.
The loader eventually decrypts the final payload and injects it into a legitimate process called ‘sihost.exe’. Hollow processingAlternatively, some loader samples allocate memory, write the decrypted payload, and call it from there.
As security researchers Arnold Osipov and Michael Dereviashkin put it:
Another important aspect of the loader is that Embarcadero RAD Studio can be used to generate executables for multiple platforms, thereby evading detection.
“VirusTotal’s lowest detection rate was compiled using Embarcadero’s new Clang-based C++ compiler, ‘BCC64.exe’,” said the Israeli cybersecurity firm, which used sandboxes and virtual machines. I pointed out the ability to dodge.
“This compiler uses different code bases such as the ‘standard library’ (Dinkumware) and the ‘runtime library’ (compiler-rt) to generate optimized code that changes entry points and execution flow. This breaks security vendor indicators such as signatures. It consists of “malicious/suspicious code blocks”. ”
In a nutshell, our findings show that the threat actors behind in2al5d p3in4er leveraged social engineering techniques to use YouTube as a malware distribution channel to lure viewers to compelling fake websites. Indicates a high-impact campaign to distribute stealer malware.
This development comes when Intel 471 discovers another malware loader. ares loader It sells for $300/month as a service for criminals to use binder tools to push information stealers disguised as popular software. Loader is suspected to have been developed by a group associated with hacktivism in Russia.
Since January 2023, notable malware families using AresLoader to spread include Aurora Stealer, Laplas Clipper, Lumma Stealer, Stealc, and SystemBC.