A sophisticated loader called “in2al5d p3in4er” (pronounced as an invalid printer) has been identified by cybersecurity researchers. This loader is designed to deliver the Aurora information stealer malware and uses advanced anti-virtual machine techniques to target endpoint workstations.
According to a report by Morphisec, the loader is compiled with Embarcadero RAD Studio and can evade detection by generating executables for multiple platforms.
The main job of the loader is to look for the vendor ID of the loaded graphics card and compare it to a list of permitted vendor IDs, such as AMD, Intel, or NVIDIA.
The loader self-terminates if the value is incorrect. When the final payload has been encrypted, the loader either reserves memory to store the decrypted content before launching it from there or uses a hollowing process to introduce itself into the genuine “sihost.exe” process.
The loader’s use of Embarcadero RAD Studio and the “BCC64.exe” C++ compiler enables it to evade detection on VirusTotal and break security vendors’ indicators. The loader directs users to false domains where they are misled into installing the malware using YouTube videos and SEO-optimized fake cracked program download websites.
The in2al5d p3in4er loader is part of a high-impact campaign that employs social engineering methods to distribute the stealer malware. The findings suggest that threat actors use YouTube as a malware distribution channel and direct viewers to fake websites. AresLoader, a different virus loader discovered by Intel 471, is thought to have been created by a team with connections to Russian hacktivist activity.
The in2al5d p3in4er is a mysterious loader that delivers the Aurora information stealer malware. It employs advanced anti-VM techniques, social engineering methods, and a sophisticated compiler to evade detection.