HQ/EMEAFind out how we can help your business
Aurora Stealer operators have been using a new highly evasive loader called in2al5d p3in4er (Invalid loader) to propagate their malware. The newly discovered campaign targets endpoint workstations utilising sophisticated anti-analysis and anti-VM methods to bypass security detections.
A researcher published a detailed rundown of the capabilities and details of in2al5d p3in4er. The researchers explained that the in2al5d p3in4er backdoor developers compiled it using the Embarcadero RAD Studio.
In addition, the threat actors are applying social engineering tactics to utilise YouTube as a distribution platform and redirect viewers to compromised websites promoted through SEO poisoning to spread the Aurora stealer.
However, the new loader only targets specific brands of graphic card providers. The attack process queries the vendor ID of the graphics card of the infected system and compares it with a set of safe-listed vendor IDs upon infection. The new loader will then terminate itself if the value of the target does not match its required number.
However, the loader decrypts the final payload and injects it inside a legitimate operation through process hollowing. Some samples assign memory for coding decrypted payload to insert it from that destination.
The Aurora Stealer malware operators use an evasion tactic that leverages several configuration options.
The campaign uses the Embarcadero RAD Studio to generate executables for various platforms with different configuration options. Moreover, a recent study showed that the lowest detection rates recently are malware that uses the Embarcadero compiler.
The surge of such threats is caused by different code bases from the default compilers and develops optimised code that changes the execution flow and entry destination of the loader.
This action compromises security vendors’ indication process, like signatures gathered from the malicious code block, which makes analysis difficult.
The current Aurora Stealer campaign that uses the in2al5d p3in4er loader has used social engineering tools and various evasion tactics to bypass entry-level security protocols. Therefore, organisations should provide training for their employees on how to identify such social engineering threats.
Experts suggest that organisations employ firewalls and endpoint security solutions to ensure that only legitimate URLs can enter networks.
