The inner workings of the very evasive loader known as “in2al5d p3in4er” (read: invalid printer), which is used to distribute the Aurora information-stealing malware, have been described by cybersecurity researchers.
“The in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) technique,” cybersecurity firm Morphisec said in a report.
The Go-based information stealer Aurora first appeared on the theft landscape in late 2022. It is disseminated by YouTube videos and SEO-optimized websites that provide false cracked software downloads as a commodity virus to other attackers. When a victim clicks on a link in a YouTube video description, they are taken to a fake website where they are persuaded to download malware posing as a helpful tool.
The loader Morphisec examined is made to inquire about the installed graphics card’s vendor ID and compare it to a list of allowlisted vendor IDs (AMD, Intel, or NVIDIA). The loader self-terminates if the value is incorrect. Ultimately, the loader uses the process hollowing approach to decode the final payload and inject it into the legit process “sihost.exe.” Alternatively, some loader samples allocate memory where the decrypted payload will be written and then call it from there.
“During the injection process, all loader samples resolve the necessary Win APIs dynamically and decrypt these names using an XOR key: ‘in2al5d p3in4er,'” said security researchers Michael Dereviashkin and Arnold Osipov. The loader’s use of Embarcadero RAD Studio to create executables for many platforms, enabling it to avoid detection, is another essential component.
The Israeli cybersecurity firm said that those with the lowest VirusTotal detection rates were built with Embarcadero’s new “BCC64.exe” Clang-based C++ compiler because of its capacity to avoid sandboxes and virtual machines. This compiler creates optimized code, which alters the entry point and execution flow, using a different code base like the “Standard Library” (Dinkumware) and the “Runtime Library” (compiler-rt). Security vendor indications, such as signatures made from “malicious/suspicious code block,” are broken by this.
The research demonstrates that the threat actors behind in2al5d p3in4er are using social engineering techniques for a high-impact campaign that uses YouTube as a malware distribution channel and sends users to convincing-looking fake websites to spread the stealer malware. The development co-occurred when Intel 471 discovered another malware loader, AresLoader, advertised as a $300/month service for criminal actors to push information stealers, disguising them as popular applications using a binder tool. It is believed that a gang connected to Russian hacktivism created the loader. Since January 2023, AresLoader has been propagating several well-known malware families, including Aurora Stealer, Laplas Clipper, Lumma Stealer, Stealc, and SystemBC.