A recently spotted campaign tricked users with an in-browser Windows update simulation to deliver the Aurora information-stealing malware.
Aurora is an information-stealing malware that has been available on hacker forums for over a year and is well known for its ability to evade virus detection.
It was spotted recently by researchers at Malwarebytes disguised as a Windows update simulation and featured a full-screen browser window that looked like a legitimate Windows system update screen.
The disguised Chrome updater is categorized as a “fully undetectable” (FUD) malware loader called ‘Invalid Printer’. It seems to be a unique strain of malware used exclusively by this specific hacker.
When researchers at Malwarebytes detected this recent malware simulation, Virus Total had not flagged it yet as suspicious.
How “Invalid Printer” Works
The host’s graphic card is the first thing the “Invalid Printer” malware examines to see if it’s running on a virtual machine or in a sandbox setting. If not, it launches a replica of the Aurora information thief after being unpacked.
The threat actor behind this campaign, according to Malwarebytes, appears to be particularly interested in developing difficult-to-detect tools. New samples are frequently uploaded to Virus Total to see how well they perform against detection engines. Additionally, it was discovered that every new sample that was uploaded to Virus Total came from a user in Turkey.