Mars Stealer uses a custom capturer capable of retrieving its configuration on C2 to then attack the following applications: Internet Applications Google Chrome, Internet Explorer, Microsoft Edge (Chromium Version), Kometa, Amigo, Torch, Orbitium, Comodo Dragon, Nichrome, Maxxthon5, Maxxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Brave, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, CyberFox, BlackHawk, IceCat, K-Meleon and Thunderbird.įigure 7: Internet applications targeted by Mars Stealer ( source ). After decrypting the strings, it’s possible to see the flow responsible for downloading the DLL files into the “ C:\ProgramData ” folder.įigure 5: Target DLLs download from Mars Stealer C2 server during the malware execution.Īs observed, all the addressed DLLs are available to download on the Mars stealer C2 server along with its web panel, also detailed towards the end of this article.įigure 6: Target DLLs (dependencies) available on the C2 server. These DLLs are the malware dependencies used to support all the malicious operations when data is exfiltrated from popular web browsers. The malware downloads some target DLLs from its C2 server during its execution. This function can be disabled when new samples are generated, as observed later. If it matches, then the malware stops its activity.Īlso, queries to the GetUserDefaultLangID() WinCall are performed to skip machines’ infections from the Commonwealth of Independent States (CIS). In detail, the malware obtains the computer name and compares it with a hardcoded string, probably the development hostname. This new variant uses anti-analysis techniques, namely anti-debug and emulation procedures.įigure 4: Anti analysis techniques found during the malware analysis. The “key” is also highlighted below.įigure 3: String’s decryptor of Mars Stealer malware ( source ).Īfter decrypting the malware strings, some internal procedures became more apparent. In detail, the RC4 key “ 86223203794583053453 ” is extracted from an initialization function responsible for starting the decryption process. The malware strings are obfuscated and decrypted in run time using the RC4 algorithm and Base64 combinations.įigure 2: Mars Stealer obfuscated strings.īy implementing a simple strings decryptor, obtaining all the plain-text strings is possible, as observed in Figure 3. Mars Stealer takes advantage of several techniques to be stealthy. įigure 1: Mars Sstealer announced on an underground forum in 2021 ( source ). Later, in July 2021, Mars Stealer began to be promoted on a Russian-speaking underground forum. Its authors closed the Telegram channel and stopped all activity, including communication with their clients. According to 3xp0rt analysis, this is a redesigned variant of the Oski trojan that stopped its operation in July 2020. Mars Stealer is a stealthy and powerful malware with only 95 KB but capable of stealing a large volume of data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |