Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Mars Stealer is an information-stealing malware that first appeared on hacking forums in June 2021, a year after its predecessor Oski Stealer was discontinued in June 2020. Mars Stealer can target or ‘support’ over 50 crypto wallets and extensions, is multi-functional, and avoids detection. In addition, it’s low price on the malware market has generated significant attention from threat actor(s) who are looking to add the effective malware into their arsenal.
eSentire's Threat Response Unit (TRU) team previously published a TRU Positive that focused on the cyber threat investigation summary of a singular incident and recommendations regarding Mars Stealer malware. However, this blogpost delves deeper into the technical details that were gathered during the research and analysis of the Mars Stealer TRU Positive.
The first mention of Mars Stealer appeared on Russian-speaking forums in June 2021 and at the time, it was being sold for $140 a month (Exhibit 1).
Mars Stealer allegedly ‘supports’, or is capable of, harvesting data from common browsers, crypto wallets, and two-factor authentication (2FA) and crypto extensions. Since the release of Mars Stealer, eSentire’s Threat Response Unit (TRU) team has observed a number of cracked versions being distributed by a reverse engineer who goes under the username ‘LLCPPC’. The latest version is Mars Stealer v8 (Exhibit 2).
Mars Stealer has been delivered as a drive-by download via cloned websites for known software, such as Open Office. The malware is also distributed as patching software and keygens on gaming forums. In the incident observed by eSentire, the stealer was delivered via the NetSupportManager RAT.
The initial access vector occurred when the victim visited a malicious website hosting an ISO image named ChromeSetup.iso (hxxps[:]//googleglstatupdt[.]com/LEND/ChromeSetup[.]iso).
The ISO image contained ChromeSetup.exe, which had an embedded NetSupportManager RAT and a Chrome Updater in a cabinet (CAB) archive-file format (Exhibits 3-4).
The NetSupportManager RAT was obfuscated by the attacker as ‘21m_18_033.exe’. The RAT was installed in tandem when the victim opened ChromeSetup.exe. Persistence was achieved by the RAT via a Startup LNK file through the following path:
The LNK runs the RAT under C:\Users\*\AppData\Roaming\WinSupports\client32.exe after each reboot attempt.
It is worth noting that attacks involving RATs do not usually start with the full infection chain once the user executes the initial payload. The attacker would need additional time to access the RAT and load additional payloads. In the incident we analyzed, the attacker’s movement in the network can be observed in Exhibit 5.
aNpRAHx.exe (original name: 3uAirPlayer.exe) was used to plant the following AutoIt scripts on the victim’s workstation under the path C:\Users\*\AppData\Local\Temp\IXP001.TMP:
The scripts were embedded within the CAB file of the executable (Exhibits 6-7)
The AutoIt scripts were highly obfuscated. Within the aNpRAHx.exe resources, there was a POSTRUNPROGRAM section that contained the following command:
The post command execution was also responsible for running the following commands on the host:
As indicated above, vai.wmd is the script responsible for loading additional dependencies as well as Mars Stealer. The value $ARZURr holds the obfuscated Mars Stealer version (Exhibit 9). The RC4 key was derived from the following pattern:
The pattern subtracts 7 from each character that is eventually converted to ASCII format. The RC4 key to decrypt the Mars Stealer is “344868553478223918282826525”.
After decrypting the binary (Exhibit 10), there appeared to be another layer of obfuscation added to the file that was decrypted during runtime.
Without having to fully deobfuscate the AutoIt script, we converted the script into an executable and proceeded with debugging (Exhibit 11). We were able to extract the deobfuscated Mars Stealer executable by leveraging the debugger. It should be noted that Mars Stealer is loading its own copy of NTDLL.DLL and renames it (Exhibit 12). NTDLL.DLL is responsible for injecting Mars Stealer into explorer.exe module during the runtime (Exhibit 13-14). A similar technique was observed in Oasis Stealer and thoroughly described by a Malware Analyst, hasherezade.
Endpoint Detection and Response (EDR) uses API hooking to monitor suspicious processes in real time. It is a common practice for EDR solutions to hook the functions exported from NTDLL.DLL. The library does not rely on other DLL (Dynamic Link Library) dependencies. In addition, it is also responsible for exporting Native APIs that are often abused by malware developers. Moreover, in order to bypass the detection by EDR tools, attacker(s) will independently load a copy of NTDLL.DLL (Exhibit 15).
It is also worth noting that another executable was dropped via the remote session on the victim’s machine – consoleappmrss.exe. The executable contained an embedded file named Installer_ovl.exe, which was written in C#.
The executable connected to the shortened URL (tiny[.]one), a Discord CDN to retrieve another file named DebugViewPortable_4_90_Release_3_English_online_Auejpzlt.bmp (Exhibit 16).
At the time of the analysis, the link to the BMP file was not accessible. We believe that the attacker(s) tried to retrieve additional payloads, but the attempt was unsuccessful.
The deobfuscated Mars Stealer was written in ASM/C and approximately 162KB in size. The compilation date was March 29, 2022, which suggests that the attacker(s) modified the stealer right before shipping it onto the victim’s machine.
The stealer includes anti-debugging and anti-sandbox features:
The sample also performs anti-emulation checks for Windows Defender Antivirus on values HAL9TH and JohnDoe (Exhibit 19).
Mars Stealer will exit if the following languages are detected (Exhibit 20):
The language checks are also performed within the Mars Stealer panel (Exhibit 21).
The strings in .RDATA section are XOR’ed (XOR or "exclusive or" is a logical operator that yields true if exactly one (not both) of two conditions is true) with different keys as shown in Exhibit 22. The first batch of decrypted strings are mostly API calls (Exhibit 23).
From another batch of decrypted strings, we can observe the following (Exhibit 24):
Mars Stealer avoids reinfection by looking up a Mutex value 67820366929896267194. If the host returns the code ERROR_ALREADY_EXISTS (183), the stealer quits running (Exhibit 25).
Mars Stealer has grabber and loader capabilities. The grabber functionality allows the attacker(s) to specify what files to collect, from which paths and the maximum file size. The following constant paths allow Mars Stealer to grab a victim’s data (Exhibit 26):
The loader allows the attacker(s) to upload additional payloads to the infected host including the modified/upgraded version of Mars Stealer. The loader functionality has the same constant paths mentioned above. The attacker(s) can enable the “Cold Wallet” option in the Loader panel, but it only works if the infected machine stores files related to crypto wallets and plugins (Exhibit 27).
As a part of the configuration, the attacker(s) can set up a Telegram Bot, which is used to receive the logs from infected machines. The settings panel also allows the attacker(s) to enable the following folders/files to collect:
The attacker(s) can also choose the “Build self-delete” option to remove the stealer on the infected machine. The self-delete command is executed via command line (Exhibit 28):
It is worth mentioning that the attacker(s) can replace their cryptocurrency and 2FA authenticator extensions in the browser with the ones collected on the victim’s machine and eventually obtain access to it. Here is the list of cryptocurrency extensions the stealer collects:
Crypto wallet | Extension |
TronLink | ibnejdfjmmkpcnlpebklmnkoeoihofec |
MetaMask Binance Chain Wallet |
nkbihfbeogaeaoehlefnkodbefgpgknn fhbohimaelbohpjbbldcngcnapndodjp |
Yoroi | ffnbelfdoeiohenkjibnmadjiehjhajb |
Nifty Wallet | jbdaocneiiinmjbjlgalhcelgbejmnid |
Math Wallet | afbcbjpbpfadlkmhmclhkeeodmamcflc |
Coinbase Wallet | hnfanknocfeofbddgcijnmhnfnkdnaad |
Guarda | hpglfhgfnhbgpjdenjgmdgoeiappafln |
EQUAL Wallet | blnieiiffboillknjnepogjhkgnoapac |
Jaxx Liberty | cjelfplplebdjjenllpjcblmjkfcffne |
BitApp Wallet | fihkakfobkmkjojpchpfgcmhfjnmnfpi |
iWallet | kncchdigobghenbbaddojjnnaogfppfj |
Wombat | amkmjjmmflddogmhpjloimipbofnfjih |
MEW CX | nlbmnnijcnlegkjjpcfjclmcfggfefdm |
GuildWallet | nanjmdknhkinifnkgdcggcfnhdaammmj |
Saturn Wallet | nkddgncdjgjfcddamfgcmfnlhccnimig |
Ronin Wallet | fnjhmkhhmkbjkkabndcnnogagogbneec |
NeoLine | cphhlgmgameodnhkjdmkpanlelnlohao |
Clover Wallet | nhnkbkgjikgcigadomkphalanndcapjk |
Liquality Wallet | kpfopkelmapcoipemfendmdcghnegimn |
Terra Station | aiifbnbfobpmeekipheeijimdpnlpgpp |
Keplr | dmkamcknogkgcdfhhbddcghachkejeap |
Sollet | fhmfendgdocmcbmfikdcogofphimnkno |
Sollet | fhmfendgdocmcbmfikdcogofphimnkno |
Auro Wallet | cnmamaachppnkjgnildpdmkaakejnhae |
Polymesh Wallet | jojhfeoedkpkglbfimdfabpdfjaoolaf |
ICONex | flpiciilemghbmfalicajoolhkkenfel |
Nabox Wallet | nknhiehlklippafakaeklbeglecifhad |
KHC | hcflpincpppdclinealmandijcmnkbgn |
Temple | ookjlbkiijinhpmnjffcofjonbfbgaoc |
TezBox | mnfifefkajgofkcjkemidiaecocnkjeh |
Cyano Wallet | dkdedlpgdmmkkfjabffeganieamfklkm |
Byone | nlgbhdfgdhgbiamfdfmbikcdghidoadd |
OneKey | infeboajgfhgbjpjbeppbkgnabfdkdaf |
LeafWallet | cihmoadaighcejopammfbmddcmdekcje |
DAppPlay | lodccjjbdhfakaekdiahmedfbieldgik |
BitClip | ijmpgkjfkbfhoebgogflfebnmejmfbml |
Steem Keychain | lkcjlnjfpbikmcmbachjpdbijejflpcm |
Nash Extension | onofpnbbkehpmmoabgpcpmigafmmnjhl |
Hycon Lite Client | bcopgchhojmggmffilplmbdicgaihlkp |
ZilPay | klnaejjgbibmhlephnhpmaofohgkpgkd |
Coin98 Wallet | aeachknmefphepccionboohckonoeemg |
Below is the list of 2FA Authenticator extensions:
2FA Authenticator | Extension |
Authenticator | bhghoamapcdpbohphigoooaddinpkbai |
Authy | gaedmjdfmmahhbjefcbgaolhhanlaolb |
EOS Authenticator | oeljdldpnmdbchonielidgobddffflal |
GAuth Authenticator | ilgcnhelpchnceeipipijaljkblbcobl?hl=ru |
Trezor Password Manager | imloifkgjagghnncjkhggdhalmcnfklk?hl=ru |
Moreover, the stealer gathers the credentials and sensitive data from numerous browsers and crypto wallets (Exhibit 29).
Supported browsers:
Internet Explorer, Microsoft Edge, Google Chrome, Chromium, Microsoft Edge (Chromium version), Kometa, Amigo, Torch, Orbitum, Comodo Dragon, Nichrome, Maxthon5, Maxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Brave Browser, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, Cyberfox, BlackHawk, IceCat, KMeleon, Thunderbird
Supported crypto wallets:
Dogecoin, Zcash, DashCore, LiteCoin, Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, Binance, Coinomi
The infected machine occasionally sends the POST requests to http://162.33.178[.]122/fakeurl.htm, which is a NetSupportManager server (Exhibit 30).
The victim then reaches out to the Mars Stealer C2 server (/request) to grab additional DLL dependencies (Exhibit 31):
The infected machine then sends out the collected data including RDP credentials and certificates in a ZIP archive to Mars Stealer C2 (Exhibit 32).
The following is an example of the exfiltrated data and the contents of the previously mentioned system.txt file (Exhibit 33).
During the analysis of Mars Stealer, we observed a number of similarities with Oski Stealer including anti-emulation and self-removal capabilities, language checks, loader, and grabber features of the stealer. The obfuscation mechanism is also identical to the previous versions of Mars Stealer: RC4 decryption key and Base64 strings. The Oski Stealer author removed the Telegram Support channel and stopped responding to requests on Oski Stealer at the end of June 2020.
eSentire’s TRU team accesses with high confidence that Mars Stealer is a successor of Oski Stealer, although it is worth noting that unlike Oski Stealer, Mars Stealer does not support Outlook data and credential exfiltration.
Our Threat Response Unit (TRU) team combines threat intelligence obtained from research and cybersecurity incidents to create practical outcomes for our customers. We are taking a full-scale response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against SolarMarker malware:
While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various cyberattack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU team is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced cyber threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Name | Indicators |
googleglstatupdt[.]com | Hosting ChromeSetup ISO |
zrianevakn1[.]com | NetSupportManager RAT C2 |
162[.]33.178.122 | NetSupportManager RAT C2 |
115d1ae8b95551108b3a902e48b3f163 | ChromeSetup.iso |
b15e0db8f65d7df27c07afe2981ff5a755666dce | ChromeSetup.exe |
37c24b4b6ada4250bc7c60951c5977c0 | NetSupportManager RAT |
5[.]45.84.214 | Mars Stealer C2 (Offline) |
e57756b675ae2aa07c9ec7fa52f9de33935cbc0f | Mars Stealer |
e3c91b6246b2b9b82cebf3700c0a7093bacaa09b | Esitanza.exe.pif (renamed AutoIt) |
e3c91b6246b2b9b82cebf3700c0a7093bacaa09b | ANpRAHx.exe (disguised as 3uAirPlayer, drops Mars Stealer and obfuscated AutoIt scripts) |
5c4e3e5fda232c31b3d2a2842c5ea23523b1de1a | Installer_ovl.exe |
2a2b00d0555647a6d5128b7ec87daf03a0ad568f | consoleappmrss.exe |
3c80b89e7d4fb08aa455ddf902a3ea236d3b582a | Fervore.wmd (obfuscated AutoIt script) |
26136c59afe28fc6bf1b3aeba8946ac2c3ce61df | Vai.wmd (obfuscated AutoIt script, contains Mars Stealer) |
e6f18804c94f2bca5a0f6154b1c56186d4642e6b | Una.wmd (obfuscated AutoIt script) |
import "pe" rule MarsStealer { meta: description = "Identifies Mars Stealer malware" author = "eSentire TI" date = "04/20/2022" hash = "e57756b675ae2aa07c9ec7fa52f9de33935cbc0f" strings: $string1 = "C:\\ProgramData\\nss3.dll" $string2 = "passwords.txt" $string3 = "screenshot.jpg" $string4 = "*wallet*.dat" $string5 = "Grabber\\%s.zip" condition: all of ($string*) and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) }
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.