New Oski Stealer Variant, "Mars Stealer", Targets Credentials, Crypto, and 2FA
In early 2020, during the emergence of the COVID-19 pandemic, researchers discovered a novel malware named Oski Stealer, capable of stealing browser data such as cookies, history, payment information, and autofill information, as well as cryptocurrency wallets, login credentials of applications, and Authy 2FA information. It can also take screenshots of your desktop and perform file transfers to, and from, a C2 server.
Oski performed these actions by (allegedly) gaining access to routers with weak admin passwords and modifying DNS settings to hijack Windows Network Connectivity Status Indicator (NCSI) active probes. Windows utilizes these probes to test a computer’s Internet connection by periodically connecting to http://www[.]msftconnecttest[.]com/connecttest.txt and then returning the string inside of the text file – which will always be “Microsoft Connect Test”. If the probe receives the right string as a reply, Windows assumes your Internet connection works. However, a hijacked router can connect to a malicious domain and download a different file — the Oski malware. The malware authors sold Oski on Telegram and in forums for a few months until suddenly in July of that year, they vanished.
Last week, though, Oski has returned as a new variant called “Mars Stealer”. Mars Stealer performs similar actions to its predecessor and has additional anti-reversing and information stealing capabilities. These include obfuscation techniques, anti-analysis techniques, security checks, external DLL dependency downloads, a custom grabber and loader to enable file transfers and file execution, self-removal, and, of course, information-stealing capabilities. Mars Stealer is also being sold as a MaaS on forums and, therefore, can be tweaked to perform different and additional techniques.
Obfuscation Techniques
- String Obfuscation
- Strings within the program are encrypted using Base64 and RC4 encryption.
- Run-Time Dynamic Linking
- Encrypted DLLs are decrypted and loaded at run-time – as opposed to at compile-time – making it more difficult to analyze the malware’s capabilities prior to execution.
Anti-Analysis Techniques
- GetTickCount() & Sleep()
- These two functions are commonly used to prevent analysts from debugging a program and checking if a set amount of time has elapsed. If the amount of time specified is greater than the run time of the execution, then the program exits.
- Anti-Emulation
- This technique checks if the malware is running in an isolated environment or virtual machine.
Security Checks
- GetUserDefaultLangID()
- This is used to detect if a machine has the default language of those in the Commonwealth of Independent States (CIS)
- Mutexes
- To avoid double execution.
- Compilation check
- The malware only executes if the compilation time was within the last month.
External DLL Dependency Downloads
- DLLs are downloaded from the C2, if necessary (known C2: cookreceipts[.]fun).
Custom Loader and Grabber
- Mars Stealer contains a custom loader and a custom grabber to enable file transfers and file execution.
Self-Removal
- Self-Removal removes artifacts of the malware to evade IR countermeasures.
Information Stealing Capabilities
- Mars Stealer targets user data and credentials from the following web browsers:
- Amigo, BlackHawk, BraveCent Browser, Chrome, Chromium, CocCoc, Comodo, CryptoTab Browser, Cyberfox, Elements Browser, Epic Privacy Browser, Firefox, IceCat, K-Meleon, Kometa, Maxthon5, Microsoft Edge, Nichrome, Opera, Opera GX, Opera Neon, Orbitum, Pale Moon, QIP Surf, SlimBrowser, Sputnik, Thunderbird, TorBro, Torch, Uran, Vivaldi, Waterfox
- Mars Stealer targets data from the following web browser extensions:
- Crypto Wallets
- Auro Wallet, Binance Chain Wallet, BitApp Wallet, BitClip, Byone, Clover Wallet, Coin98 Wallet, Coinbase Wallet, Cyano Wallet, DAppPlay, EQUAL Wallet, Guarda, GuildWallet, Hycon Lite Client, ICONex, Jaxx Liberty, KHC, Keplr, LeafWallet, Liquality Wallet, MEW CX, Math Wallet, MetaMask, Nabox Wallet, Nash Extension, NeoLine, Nifty Wallet, OneKey, Polymesh Wallet, Ronin Wallet, Saturn Wallet, Sollet, Steem Keychain, Temple, Terra Station, TezBox, TronLink, Wombat, Yoroi, ZilPay, iWallet
- 2FA Extensions
- Authenticator, Authy, EOS Authenticator, GAuth Authenticator, Trezor Password Manager
- Crypto Wallets
- Mars Stealer targets crypto wallet addresses, seeds, and other sensitive information from:
- Atomic, Binance, Coinomi, Electron Cas, Electrum, Electrum LTC, Ethereum, Exodus, Jax, MultiDoge
As you can see, a variety of applications are affected and it’s very likely you use one or more of these. Thus, it remains important to remain cautious when downloading files from the Internet and clicking on any hyperlinks. Always remember a few rules of thumb:
- Use common sense. Don’t click links that seem suspicious, come from an arbitrary user from seemingly out-of-nowhere, or are attached with a “too good to be true” sentiment such as free money or gift cards.
- Verify before confirming. Verify a domain name, email address, file name, file location, IP address, and so on, before performing any meaningful action, especially if it involves sensitive information.
- Report anomalous behavior. If you work for an organization and your machine is acting weird, in any way, don’t hesitate to report that behavior to an IT or IR expert. It’s better to be safe than sorry.
If you want to learn more about this malware you can review my references below:
https://3xp0rt.com/posts/mars-stealer#browsers-and-2facrypto-extension
https://www.nti.org/education-center/treaties-and-regimes/commonwealth-independent-states-cis/