Auraboros RAT - Exposes Keylogging and Cookie Hijacking

What Happened

A previously undocumented remote access trojan (RAT) framework named Auraboros C2 has emerged, presenting alarming vulnerabilities. It exposes victim data, enabling live surveillance and browser credential theft. The command-and-control (C2) dashboard operates over plain HTTP, lacking any form of authentication, making it accessible to anyone who can reach the server's port.

How It Works

The C2 panel, hosted on a DigitalOcean server, runs on port 5000 using an Express.js and Socket.io backend. Despite its professional appearance, it has no security controls to restrict access to its management functions or victim data. The entire JavaScript source is downloadable, revealing the framework's architecture.

Auraboros offers extensive capabilities targeting Windows systems, including:

• Screenshot capture
• Webcam snapshots
• Clipboard theft
• Live keylogging
• Wi-Fi password extraction
• Arbitrary shell command execution
• Cookie impersonation

Who's Being Targeted

Signs of Infection

Indicators of infection include the presence of DiskIntegrityScanner.exe on endpoints and unusual outbound connections to port 9000 on DigitalOcean-hosted IPs. Organizations should monitor for reverse SOCKS5 activity on port 1080 as well.

How to Protect Yourself

To safeguard against Auraboros, organizations should:

1. Block the IP address 174.138.43[.]25 at the network perimeter.
2. Hunt for DiskIntegrityScanner.exe on all endpoints, as it is not a legitimate Windows binary.
3. Set up alerts for reverse SOCKS5 activity on port 1080.
4. Report the infrastructure to DigitalOcean’s abuse team.
5. Monitor for Socket.io polling requests directed to non-standard ports.

Conclusion

The emergence of the Auraboros RAT highlights significant security risks associated with unprotected C2 panels. Organizations must act swiftly to mitigate potential threats and protect sensitive data from unauthorized access.