Threat actors are quite adept at changing tactics once the cybersecurity community or law enforcement catches up to them. That is evident in the recent resurgence of malvertising though no longer through users’ browsers as in the past.

Malwarebytes Labs’s Jérôme Segura uncovered such a campaign targeting Windows users. When clicked, malvertisements redirected users to a page touting a very convincing Windows security update that was actually Aurora in disguise.

First seen last year, Aurora is now one of the most popular data-stealing malware today designed to harvest user credentials from infected systems. The malware’s acclaim could stem from its ability to stay under the radar but does it really leave no DNS traces? We sought to find out through an indicator of compromise (IoC) expansion analysis.

Using the 23 IoCs—18 domains and five IP addresses—Malwarebytes identified as jump-off points, our deep dive uncovered:

• 595 domains that shared the IoCs’ IP hosts, two of which turned out to be malicious
• 60 domains that contained strings also found among the IoCs
• 167 subdomains that ended with login.php akin to the data stealer’s control panel address, two of which turned out to be malware hosts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

IoC Facts

The Malwarebytes report identified these 23 IoCs.

Despite their confirmed connection to Aurora, three of the domains in the table above—qqtube[.]ru, evatds[.]ru, and grhfgetraeg6yrt[.]site—aren’t currently detected as malicious. None of the IP addresses were also categorized as such.

The 23 domains identified as IoCs were managed by three registrars led by TIMEWEB-RU, which accounted for 15 of the domain names. PDR Ltd. was responsible for two domains and REGRU-RU for the last remaining domain name.

All of the IoCs were newly registered—between 13 February and 15 April 2023. Only the registrants of two domains identified their country—Russia.

The five IP addresses, meanwhile, belonged to five different Internet service providers (ISPs). REG.RU Ltd., TimeWeb Co. Ltd., ReliableSite.Net LLC, Galaxy LLC, and Shinomiya Hosting managed one IP address each. Two of the IP hosts were geolocated in Russia. One IP address each, on the other hand, pointed to the U.S., the Netherlands, and Germany as their origin.

IoC List Expansion Findings

To find traces of this Aurora variant in the DNS, we first looked at the five IP addresses identified as IoCs. Reverse IP lookups showed that two of them were shared hosts. Altogether, the IoCs’ hosted at least 595 other domains.

Based on a Threat Intelligence Platform (TIP) bulk malware check, two of the IP-connected domains—18meet[.]fun and akord-kazan[.]ru—were malicious. Despite its nature, akord-kazan[.]ru remained accessible and continues to host live content to this day.

A closer look at the domains publicized as IoCs allowed us to identify strings that may appear in other domain names as well. We found that the 16 strings seen among the IoCs listed below were also present in 60 other domains.

• qqtube.
• activessd.
• chistauyavoda.
• xxxxxxxxxxxxxxx.
• activehdd.
• oled8kultra.
• xhamster-18.
• activessd6.
• activedebian.
• shluhapizdec.
• 4042023.
• clickaineasdfer.
• moskovpizda.
• pochelvpizdy.
• evatds.
• grhfgetraeg6yrt.

The 60 string-connected domains started with one of the strings above. Also, only one string from the IoCs—click7adilla.—didn’t appear in any other domain name.

The Malwarebytes analysis also named 193[.]233[.]20[.]29/games/category/Login[.]php as an IoC specifically related to the threat’s control panel. The string login.php could be part of several subdomains. As it turns out, 167 subdomains contained the string, two of which turned out to be malware hosts.

Interestingly, both of the malicious subdomains containing login.php had the string paypal as well.

How Does This Variant Differ from the 2022 One?

Compared with the 2022 Aurora stealer variant that used strings more related to software download sites (aka, the ruse), the threat actors behind this version used domain names that had no apparent connection to Windows nor security updates—their chosen social engineering bait. This Aurora stealer campaign’s IP- and string-connected domains didn’t follow a theme like those found in 2022 (seemingly travel-themed).

Expanding published IoC lists for specific threats may reveal connected artifacts that even the most comprehensive malware analyses don’t mention. This exercise, for instance, allowed us to identify 600+ domains and 100+ subdomains that shared similarities with the Aurora IoCs. It also brought to light four malicious web properties.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.