Aurora

Malware Profile Updated 18 days ago

Download STIX

Preview STIX

Aurora is a type of malware designed to exploit and damage computer systems, often through suspicious downloads, emails, or websites. It has been used in a series of high-profile cyber-attacks over the years, with notable instances such as Operation Aurora in 2009, which targeted major technology companies including Google, and Operation Aurora Redux in 2012. This malicious software, along with others like RedLine, LokiBot, and Mars, is built to steal session cookies and saved passwords from browsers, which can be used to evade multifactor authentication controls and access crypto wallets. The Storm-0558 group, tracked for over 20 years, has been linked to these attacks and other cloud provider compromises. In July 2022, Advocate Aurora Health, a prominent healthcare provider in the Midwest, faced a data exposure incident due to incorrect usage of meta-pixels, impacting around 3 million people. Later, in October 2022, Advocate Aurora reported a HIPAA breach affecting the same number of individuals involving its prior use of web trackers. Following these incidents, Advocate Aurora agreed in August 2024 to pay $12.25 million to settle consolidated civil class action claims that it had invaded patient privacy by using tracking codes on its websites and patient portal. Despite the threats posed by Aurora and similar malware, tools are available to combat them. For instance, an Aurora ransom decryptor tool is accessible at Bleeping Computer and Emsisoft. However, certain cloud database services, such as AWS's Aurora services for MySQL or PostgreSQL, are limited in their support against this malware. Furthermore, AWS's Outposts does not support Aurora, Oracle Database, Redshift, SageMaker, or any other AWS database model. Despite these limitations, AWS aims to provide a first-class experience with its first-party services such as Aurora for MySQL through CodeWhisperer.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Operation Aurora	2	Operation Aurora, also known as APT17, is a notorious malware operation that began in 2009 and is considered one of the most sophisticated cyberattacks ever conducted. It specializes in supply chain attacks, which are attempts to damage an organization by targeting less-secure elements in its supply
Hydraq	1	Hydraq, also known as 9002 RAT, McRAT, Naid, and Aurora, is a malicious software (malware) designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains access, it has the potential

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Loader

Phishing

Infostealer

Malvertising

Zero Day

Azure

Trojan

Healthcare

Health

Cybercrime

Payload

Apt

Maas

Windows

Fraud

Investment

Ransom

Youtube

Aws

Facebook

Mysql

Sandbox

Colorado

Mongodb

Chinese

China

Amazon

Symantec

Oracle

Boeing

Espionage

Malware Loader

Vulnerability

Rat

Exploit

State Sponso...

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Mars	Unspecified	1	Mars is a malicious software (malware) that has been discovered by Trend Micro's Mobile Application Reputation Service (MARS) team. This malware is particularly damaging as it involves two new Android malware families related to cryptocurrency mining and financially-motivated scam campaigns, targeti
Lokibot	Unspecified	1	LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
Lumma Stealer	Unspecified	1	Lumma Stealer is a malicious software (malware) that infiltrates systems primarily to steal personal information, disrupt operations, and exploit vulnerabilities. According to the ESET Threat Report H2 2023, Lumma Stealer gained significant traction in the second half of 2023, with its capabilities
Redline	Unspecified	1	RedLine is a malware designed to exploit and damage computer systems by stealing personal information, disrupting operations, or even holding data hostage for ransom. It has been identified as a favorite infostealer among threat actors selling logs through the marketplace 2easy, which also sells Rac
Stuxnet	Unspecified	1	Stuxnet, a notorious malware discovered in 2010, is one of the most infamous Advanced Persistent Threat (APT) attacks in history. This military-grade cyberweapon was co-developed by the United States and Israel to specifically target Iran's nuclear enrichment facility at Natanz. The Stuxnet worm, a
WannaCry	Unspecified	1	WannaCry is a type of malware, specifically ransomware, that caused significant global disruption in 2017. It exploited Windows SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), which allowed it to spread rapidly and infect over 200,000 machines across more t
Lumma	Unspecified	1	Lumma is a prominent malware, particularly known as an information stealer. It is delivered through various means, including suspicious downloads, emails, and websites. In one instance observed by Palo Alto Networks’ Unit 42, Lumma was sent over Latrodectus C2 in an infection chain. In another campa

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Elderwood	Unspecified	2	Elderwood, also known as the Elderwood Group or the Beijing Group, is a notable threat actor believed to be responsible for numerous high-profile cyber attacks and espionage campaigns. The group's activities date back to at least 2005-2006 and have been linked to various significant incidents, inclu
APT17	Unspecified	1	APT17, also known as Tailgator Team and Deputy Dog, is a threat actor suspected to be affiliated with the Chinese intelligence apparatus. This group has been associated with various aliases including Winnti, PassCV, Axiom, LEAD, BARIUM, Wicked Panda, and GREF. The primary targets of APT17 are the U.

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Aurora Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
BankInfoSecurity	18 days ago	Cryptocurrency Theft Haul Surges Alongside Crypto Value
BankInfoSecurity	a month ago	Court: HHS Overstepped HIPAA Authority in Web Tracking Guide
BankInfoSecurity	3 months ago	Law Firm to Pay $8M to Settle Health Data Hack Lawsuit
InfoSecurity-magazine	4 months ago	Report Slams Microsoft Security Failures in Government Email Breach
CERT-EU	5 months ago	How AI has already changed coding forever
CERT-EU	5 months ago	Complete Guide to Advanced Persistent Threat (APT) Security
CERT-EU	5 months ago	Scientel Solutions Announces Partnership with UK-based Cybersecurity Company, KryptoKloud
CERT-EU	5 months ago	Cybersecurity, Other USAF Needs Challenging E-7 Price Talks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	6 months ago	Database management the easy – and professional – way
BankInfoSecurity	6 months ago	NC Health System Agrees to Pay $6.6M in Web Tracking Case
CERT-EU	7 months ago	Trusted brands embrace online privacy
DARKReading	7 months ago	10 Years After Yahoo, What’s Changed? (Not Much)
CERT-EU	7 months ago	MY TAKE: Rising geopolitical tensions suggest a dire need for tighter cybersecurity in 2024
CERT-EU	7 months ago	MY TAKE: Rising geopolitical tensions suggest a dire need for tighter cybersecurity in 2024 \| The Last Watchdog
CERT-EU	a year ago	Boulder County buys controversial phone-hacking tech using money meant to treat, prevent drug addiction \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker - National Cyber Security Consulting
CERT-EU	a year ago	Threat landscape in NZ's energy sector in the spotlight
CERT-EU	a year ago	Warning for anyone who visits adult sites as hackers target users with convincing scam \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
CERT-EU	a year ago	New Flaw in WordPress Plugin Used by Over a Million Sites Under Active Exploitation
DARKReading	a year ago	The Dark Web Is Expanding (As Is the Value of Monitoring It)
CSO Online	a year ago	Russian hacktivists deploy new AresLoader malware via decoy installers