April 18, 2023Rabbi LakshmananThreat Intelligence / Cyber ​​Risk

A cybersecurity researcher said, “in2al5d p3in4er” (read: disabled printer) Used to deliver the Aurora information stealer malware.

“The in2al5d p3in4er loader Embarcadero RAD Studio It uses advanced anti-VM (virtual machine) techniques to target endpoint workstations,” said cybersecurity firm Morphisec. Said In a report shared with The Hacker News.

Aurora is a Go-based information-stealing program that has emerged in the threat landscape in late 2022. It is offered as commodity malware to other actors and distributed through YouTube videos and fake crack software download websites for SEO.

By clicking on the link in the YouTube video description, the victim is redirected to a decoy website and tricked into downloading malware disguised as a seemingly legitimate utility.

The loader analyzed by Morphisec is designed to query the vendor IDs of the graphics cards installed on the system and compare them against a set of allowlisted vendor IDs (AMD, Intel, or NVIDIA). I’m here. If the values ​​do not match, the loader exits.

The loader eventually decrypts the final payload and injects it into a legitimate process called ‘sihost.exe’. Hollow processingAlternatively, some loader samples allocate memory, write the decrypted payload, and call it from there.

As security researchers Arnold Osipov and Michael Dereviashkin put it:

Aurora stealer malware

Another important aspect of the loader is that Embarcadero RAD Studio can be used to generate executables for multiple platforms, thereby evading detection.

“VirusTotal’s lowest detection rate was compiled using Embarcadero’s new Clang-based C++ compiler, ‘BCC64.exe’,” said the Israeli cybersecurity firm, which used sandboxes and virtual machines. I pointed out the ability to dodge.

“This compiler uses different code bases such as the ‘standard library’ (Dinkumware) and the ‘runtime library’ (compiler-rt) to generate optimized code that changes entry points and execution flow. This breaks security vendor indicators such as signatures. It consists of “malicious/suspicious code blocks”. ”

upcoming webinars

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – join us for this expert-led webinar!

Save my seat!

In a nutshell, our findings show that the threat actors behind in2al5d p3in4er leveraged social engineering techniques to use YouTube as a malware distribution channel to lure viewers to compelling fake websites. Indicates a high-impact campaign to distribute stealer malware.

This development comes when Intel 471 discovers another malware loader. ares loader It sells for $300/month as a service for criminals to use binder tools to push information stealers disguised as popular software. Loader is suspected to have been developed by a group associated with hacktivism in Russia.

Since January 2023, notable malware families using AresLoader to spread include Aurora Stealer, Laplas Clipper, Lumma Stealer, Stealc, and SystemBC.

Did you find this article interesting?Please follow us twitter and LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog