A newly discovered remote access trojan (RAT) framework, known as Auraboros, has emerged, presenting significant concerns due to its ability to access victim data and execute live monitoring without restrictions. This malware framework, dubbed Auraboros C2, is characterized by its open command-and-control (C2) panel, which lacks any form of authentication, thus allowing unrestricted access to sensitive data.
Unsecured Command-and-Control Dashboard
The Auraboros C2 panel operates on a DigitalOcean server using the IP address 174.138.43[.]25, running on port 5000 with an Express.js and Socket.io backend. The entire setup is exposed over plain HTTP, and its interface, designed in Brazilian Portuguese, displays a sophisticated appearance under the branding of ‘Auraboros Advanced Defense Systems.’ Despite its polished look, this system is devoid of any security measures to safeguard management operations or victim data.
Analysis by Breakglass Intelligence, prompted by alerts from security researchers @Fact_Finder03 and @4_n_0_n_1_3_3_7, revealed the framework’s comprehensive capabilities. The analysts discovered that the C2 panel’s 84KB JavaScript source code was accessible to any visitor, providing a full blueprint of the framework.
Comprehensive Threat Capabilities
The Auraboros framework is tailored for Windows systems and encompasses a wide range of capabilities, including screenshot capture, webcam snapshots, clipboard monitoring, and more. It features a live keylogging function with three-second intervals, Wi-Fi password extraction, and file browsing. Furthermore, it supports arbitrary shell command execution, ARP scanning, and OTA agent updates.
Among the six unauthenticated API endpoints, critical data such as beacon lists, command results, and event logs are exposed. The absence of session isolation in the Socket.io transport means that all command results are broadcast to every connected client.
Technical Details and Countermeasures
One notable technique employed by Auraboros involves DLL sideloading, where a benign executable, DiskIntegrityScanner.exe, serves as the host for a malicious DLL. This approach conceals the malware’s presence, complicating detection processes. The framework also targets browser credentials, specifically those stored in Brave and Chrome, by exploiting the Windows DPAPI to extract and decrypt stored passwords.
To mitigate risks associated with Auraboros, organizations should immediately block the IP address 174.138.43[.]25 and monitor endpoints for the presence of DiskIntegrityScanner.exe. Additionally, vigilance is advised for outbound connections to DigitalOcean-hosted IPs on port 9000 and reverse SOCKS5 proxy activity on port 1080. Reporting any suspicious infrastructure to DigitalOcean’s abuse team is also recommended.
For continuous updates on cybersecurity threats, follow us on Google News, LinkedIn, and X, and consider adding our site as a preferred source for cybersecurity news.
