Mars Stealer is a stealthy and powerful malware with only 95 KB but capable of stealing a large volume of data. According to 3xp0rt analysis, this is a redesigned variant of the Oski trojan that stopped its operation in July 2020. Its authors closed the Telegram channel and stopped all activity, including communication with their clients. Later, in July 2021, Mars Stealer began to be promoted on a Russian-speaking underground forum. [CLICK IMAGES TO ENLARGE]

Figure 1: Mars Sstealer announced on an underground forum in 2021 (source).

How Mars Stealer malware works

Mars Stealer takes advantage of several techniques to be stealthy. The malware strings are obfuscated and decrypted in run time using the RC4 algorithm and Base64 combinations. 

Figure 2: Mars Stealer obfuscated strings. By implementing a simple strings decryptor, obtaining all the plain-text strings is possible, as observed in Figure 3. In detail, the RC4 key “86223203794583053453” is extracted from an initialization function responsible for starting the decryption process. The “key” is also highlighted below.

Figure 3: String’s decryptor of Mars Stealer malware (source). After decrypting the malware strings, some internal procedures became more apparent. This new variant uses anti-analysis techniques, namely anti-debug and emulation procedures. Figure 4: Anti analysis techniques found during the malware analysis. In detail, the malware obtains the computer name and compares it with a hardcoded string, probably the development hostname. If it matches, then the malware stops its activity. Also, queries to the GetUserDefaultLangID() WinCall are performed to skip machines’ infections from the Commonwealth of Independent States (CIS). This function can be disabled when new samples are generated, as observed later.

The malware downloads some target DLLs from its C2 server during its execution. These DLLs are the malware dependencies used to support all the malicious operations when data is exfiltrated from popular web browsers. After decrypting the strings, it’s possible to see the flow responsible for downloading the DLL files into the “C:\ProgramData” folder. Figure 5: Target DLLs download from Mars Stealer C2 server during the malware execution. As observed, all the addressed DLLs are available to download on the Mars stealer C2 server along with its web panel, also detailed towards the end of this article.

Figure 6: Target DLLs (dependencies) available on the C2 server.

Mars Stealer targets

Mars Stealer uses a custom capturer capable of retrieving its configuration on C2 to then attack the following applications:

Internet Applications

Figure 7: Internet applications targeted by Mars Stealer (source).

2FA applications

Crypto extensions

Figure 8: Browser extensions found inside the malware sample (source).

Crypto wallets

Figure 9: Crypto wallets targeted by Mars Stealer (source).

Mars Stealer web-panel

Mars Stealer is being sold for approximately $160. The files include the web panel with all needed data to propagate new campaigns and the malware builder to generate new samples. Regarding the web panel, a PHP panel with a MySQL database engine is used by criminals to take control over all the exfiltrated information and victims’ machines. Figure 10 shows the web-panel structure and the db.php file with the database configuration.

Figure 10: Internal structure of the Mars stealer web panel (C2 server). The main dashboard provides information on the collected information, as observed below.

Figure 11: Screenshots of Mars stealer web panel (source). On the other hand, a builder is also provided in the same bundle. This application is capable of generating new samples of this specific Mars Stealer version (6.1), and some fields can be introduced, namely:

C2 hostname C2 gate.php file location (file that receives all the information from victims and parses them) Code encryption pass; and the possibility of disabling CIS check

Figure 12: Mars Stealer builder.

The threat of Mars Stealer 

Mars Stealer is a new and different malware in contrast to other popular and emergent threats. This piece of software was designed within a stealthy approach, in order to maintain the threat active for a long time. The real targets of this malware are crypto-wallets, and because of that, some steps need to be taken to prevent potential infections. In the first place, backups are a rule of thumb to fight any cyberattack. It’s mandatory to keep backup copies of your wallet files and their private keys safe and secure. To circumvent the Mars Stealer’s intent, the usage of wallets that offer offline storage is the most suitable solution. For instance, using a simple paper wallet for single keys can be very effective. However, if you need to store a larger volume of crypto assets, consider using a hardware wallet. These physical devices can store private keys away from your computer offline and provide an extra layer of security. Your assets will be safe from potential attacks with this approach in place.  

Sources:

Mars stealer analysis, 3xp0rt Oski threat, CyberArkl Cookies hijack, Segurança Informática