Stealth is a typical goal for most threat actors when launching malware and other attacks. The better hidden a malware is, the more effective an attack becomes. And that is what fast-rising data stealer Aurora is gaining notoriety for.

Former bot maker-turned-data stealer Aurora’s rise to stardom has, in fact, recently piqued SEKOIA.IO researchers’ interest, leading them to publish 51 indicators of compromise (IoCs)—including 28 IP addresses and eight domains—related to the threat. Is Aurora truly flying under the radar, though? Or can extensive WHOIS, IP, and DNS intelligence point to more digital breadcrumbs?

Our IoC expansion exercise, which jumped off the IoCs SEKOIA.IO researchers already identified, led to the discovery of:

• One unredacted email address used to register one of the domains identified as IoCs
• Four additional IP addresses to which some of the IoCs resolved
• 972 more domains that resolved to some of the IoCs’ IP hosts, 43 of which turned out to be malicious
• 2,262 additional domains that shared unique strings found among the IoCs, seven of which were categorized as malware hosts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

IoC Expansion Revelations

WHOIS Connections

We began our deep dive into Aurora with a bulk WHOIS lookup for the domains identified as IoCs. Three of them—onesoftware[.]site, unisoft[.]store, and mividajugosa[.]com—had retrievable WHOIS records. While onesoftware[.]site and unisoft[.]store didn’t have registrant email addresses on file, mividajugosa[.]com did.

A historical reverse WHOIS search for mividajugosa[.]com’s unredacted registrant email address showed it has only been used to register the corresponding IoC. Could the registrant be affiliated with the threat group behind Aurora? Did she abandon the domain when it was flagged as malicious?

DNS Connections

Next, DNS lookups for the eight domains identified as IoCs allowed us to uncover an additional four IP addresses (e.g., 79[.]137[.]197[.]201 and 91[.]229[.]90[.]149) that aren’t on the publicized list. While none of them are considered malicious to date, they all manifested Secure Sockets Layer (SSL) configuration issues that could make them prone to compromise.

Further scrutiny via reverse IP lookups for the IP addresses identified as IoCs and the four others we uncovered led to the discovery of 972 domains that could be connected to the threat. In fact, 43 of these domains turned out to be malicious after a bulk malware check.

A closer look at the malicious domains showed that a majority could be travel-themed, given the appearance of strings like “trav,” “travel,” and “trip.” Here’s a domain volume breakdown for the strings.

More “trip”-containing domains were found compared with those with the string “trav” or “travel.”

Domain String Connections

We noticed unique strings among the domains identified as IoCs, namely, “allsoft,” “onesoftware,” “unisoft,” “freesoft,” “cheatcloud,” and “mividajugosa.” Using these as Domains & Subdomains Discovery search terms allowed us to uncover 2,262 additional domains, seven of which turned out to be malware hosts. Examples of the malicious web properties are cheatcloud[.]us, cheatcloud[.]fun, cheatcloud[.]pro, and cheatcloud[.]one. Here’s a breakdown of the additional domains we found by unique string.

“Soft” appeared in 99% of the domains, potentially alluding that visitors can obtain free copies of the programs featured on the websites they hosted.

Screenshot Connections

Screenshot lookups for the 2,262 additional domains we can consider potential threat artifacts also yielded an interesting result. We found that “allsoft” is commonly used by several websites offering application downloads or software development services. The actors behind Aurora may be mimicking these seemingly legitimate country-specific sites to lure users to click their malicious links.

Given the country-code top-level domains (ccTLDs) used, users from Montenegro (.me), Ukraine (ua), and Belgium (.be) interested in downloading applications from the three sites above should be wary of clicking the IoCs allsofts[.]cloud and alls0ft[.]cloud.

In addition, at least eight of the “allsoft” sites hosted the same content, which could mean they’re localized versions of two companies’ business pages.

Customers of the software download site and the software development company should also steer clear of the “allsoft” IoCs SEKOIA.IO identified.

One “allsoft” domain oddly hosted what looked to be a 3D photo development site. Interestingly, the domain appeared similar to the IoC alls0ft[.]cloud that pointed to what looked like a blog about the latest tech gadgets.

Our IoC expansion effort led to the identification of 3,188 potentially connected artifacts and possibly 50 additional IoCs that likely require blocking for utmost protection. Returning to the question of whether Aurora is truly flying under the radar, the digital breadcrumbs we uncovered may lead to further transparency on the threat group’s activities.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.