Fake system update drops Aurora stealer via Invalid Printer loader

Malvertising seems to be enjoying a renaissance as of late, whether it is from ads on search engine results pages or via popular websites. Because browsers are more secure today than they were 5 or 10 years ago, the attacks that we are seeing all involve some form of social engineering.

A threat actor is using malicious ads to redirect users to what looks like a Windows security update. The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you’d expect from Microsoft.

The fake security update is using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. We wrote a tool to ‘patch’ this loader and identified its actual payload as Aurora stealer. In this blog post, we detail our findings and how this campaign is connected to other attacks.

A convincing “system update”

Windows users are quite familiar with system updates, often interrupting hours of work or popping up in the middle of an intense game. When that happens, they just want to install whatever needs to be installed and get on with their day.

A threat actor is buying popunder ads targeting adult traffic and tricking victims with what appears to a system security update.

easset upload file12739 265978 e

Figure 1: A fake system update hijacks the screen

As convincing as it looks, what you see above is actually a browser window that is rendered in full screen. This becomes more obvious when downloading the update file named ChromeUpdate.exe.

easset upload file94573 265978 eFigure 2: The ‘Chrome update’ downloaded from the web browser

Fully Undetectable (FUD) malware

While the file name appears as ChromeUpdate.exe, it uses the Cyrillic alphabet such that certain characters look similar but are different on disk. Its hex representation is %D0%A1hr%D0%BEm%D0%B5U%D1%80d%D0%B0t%D0%B5.exe as can be seen in the image below:

easset upload file63540 265978 e

Figure 3: Hex encoding and Cyrillic alphabet

When we first ran the sample into a sandbox, we could not see anything obvious or that it was even malicious. The file would simply run and exit quickly. Over a couple of weeks, we collected nine different samples that looked more or less the same.

We also noticed that the threat actor was uploading each of his new builds to VirusTotal, a service owned by Google, to check if they were being detected by antivirus engines. The first user to submit each new sample always uploaded them from Turkey (country code TR) and in many instances the file name looked like it had come fresh from the compiler (i.e. build1_enc_s.exe).

easset upload file62991 265978 e

Figure 4: User submissions to VirusTotal

While VirusTotal is no replacement for a full endpoint security product, with its 70 AV engines it is usually a good indicator to quickly check if a file is malicious or not. For more than 2 weeks, the samples had 0 detection on VT and it wasn’t until a blog post by Morphisec that detections started to appear. This new loader is called Invalid Printer and so far appears to have been used exclusively by this threat actor to bypass security products.

easset upload file80098 265978 e

Figure 5: VirusTotal detections coincide with blog release

We actually stumbled upon Morphisec’s blog thanks to Threatray which identified similarities with a file we submitted to their sandbox. The service’s built-in OSINT identified similar samples and linked them with security articles. 

easset upload file20038 265978 eFigure 6: Threatray analysis page

Patching the loader

Invalid Printer performs a check on the computer’s graphic card and specifically its vendor ID which it compares against known manufacturers such as AMD, NVidia. Virtual machines and sandboxes in general do not use real hardware and will fail to pass the check.

We were able to patch the samples we had collected and identify their payload. The patch consists of replacing the graphics card check with a random number and always returning true, therefore allowing the file to run in any sandbox.

easset upload file84359 265978 eFigure 7: Python script to patch loader

The automated malware unpacking service from OpenAnalysis UnpacMe now supports properly unpacking samples using the Invalid Printer loader. It allowed us to determine what malware family is being distributed as well as indicators of compromise. For example, one of our samples (31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434) has the same command and control server (94.142.138[.]218) as one mentioned in Morphisec’s blog.

easset upload file70894 265978 eFigure 8: UnpacMe results page

In this specific malvertising campaign, the payload used was the Aurora Stealer, a popular piece of malware that is designed to harvest credentials from systems.

Campaign stats

The threat actor is using a panel to track high level stats about visitors to the fake system update web page. Based on the numbers from this panel, there were 27,146 potential unique victims and 585 of them downloaded the malware during the past 49 days.

easset upload file68526 265978 e

Figure 9: Panel showing browser visits and downloads

easset upload file2801 265978 e

Figure 10: Browser user-agents, IP addresses and geolocation

War and Russia references

We believe there is a single threat actor behind this malvertising campaign and others such as the one Morphisec uncovered. The malware author seems to take a very high interest in creating FUD malware and constantly uploads it to VirusTotal to verify, always using the same submitter profile.

We couldn’t help but notice a possible reference to the war in Ukraine left within the fake Chrome Update page and commented out:

easset upload file60946 265978 eFigure 11: Commented HTML code

Some of the websites belonging to this threat actor were not loading malware but instead had a single YouTube video promoting the cities and landscapes of Russia:

easset upload file92521 265978 eFigure 12: YouTube video about Russia in 12K HDR 

Additionally, we found some connections with tech support scams and even an Amadey panel that also appears to belong to the threat actor.


Malwarebytes already protected users from this malvertising campaign by blocking the malicious ads involved. We detect the payloads as Spyware.Aurora.

easset upload file46480 265978 e

easset upload file4963 265978 e

Special thanks to Roberto Santos for help with the sample and binary patching.

Indicators of Compromise

Malvertising gate


Fake system update page


Invalid Printer samples


Aurora Stealer C2


Amadey Stealer panel


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.