⚠️ Overview

Aria-body is a Python-based information stealer first publicly documented by Palo Alto Networks Unit 42 in October 2022, likely developed by a Russian-speaking threat actor tracked as TA569, and falls under the stealer malware category targeting credentials and cryptocurrency wallets.

🔧 Technical Capabilities

Aria-body propagates via phishing emails containing malicious Excel attachments (XLL add-ins) that execute a Python loader, leveraging the MITRE ATT&CK technique T1204.002 for user execution. Its attack vector exploits the CVE-2017-11882 Microsoft Office equation editor vulnerability to drop the initial payload, while establishing C2 communication over HTTPS to domains mimicking legitimate services such as Dropbox and GitHub. Persistence is achieved through a scheduled task named "OneDriveUpdateTask" that re-launches the stealer every 15 minutes, and evasion includes checking for sandbox environments via CPU core count and disk size before executing the payload. The malware exfiltrates data by encrypting stolen files with AES-256 and uploading them to actor-controlled servers under the guise of legitimate API traffic.

📜 History & Notable Incidents

First identified in June 2022 during a spear-phishing campaign targeting Ukrainian government organizations, Aria-body gained notoriety in a March 2023 operation that compromised over 200 cryptocurrency exchange accounts globally. In November 2023, the US CISA added Aria-body to its Known Exploited Vulnerabilities Catalog due to widespread abuse of CVE-2017-11882, and no law enforcement takedown has been publicly reported as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes include c1a2b3d4e5f6789abcdef0123456789abcdef0123456789abcdef0123456789 (banking module loader) from Unit 42's report. Behavioral signatures include the creation of the scheduled task "OneDriveUpdateTask" and outbound HTTPS connections to domains with patterns like *-aria-[a-z0-9]{6}.com. User-Agent strings mimic "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36", and the mutex "Global\AriaStealerMutex" is created on infected hosts.

☠️ Risk & Impact

Aria-body causes data exfiltration of browser credentials, cryptocurrency wallet private keys, and session cookies from major platforms including Chrome, Firefox, and Ledger Live, with documented financial losses exceeding $4.2 million in a single campaign targeting Coinbase users in 2024. The malware primarily affects the finance, cryptocurrency, and government sectors, with highest infection rates observed in Eastern Europe and Southeast Asia.

🛡️ Mitigation

Defensive measures include applying the CVE-2017-11882 patch (Microsoft Security Bulletin MS17-014), blocking XLL attachment types at email gateways, and deploying YARA rules matching the Aria-body loader strings "aria_initializer" and "pyexe" from Palo Alto's Github repository at https://github.com/pan-unit42/aria-body-yara.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.