Blog

eSentire Threat Intelligence Malware Analysis: Mars Stealer

BY eSentire Threat Response Unit (TRU)

May 18, 2022 | 14 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

IN THIS POST

Mars Stealer is an information-stealing malware that first appeared on hacking forums in June 2021, a year after its predecessor Oski Stealer was discontinued in June 2020. Mars Stealer can target or ‘support’ over 50 crypto wallets and extensions, is multi-functional, and avoids detection. In addition, it’s low price on the malware market has generated significant attention from threat actor(s) who are looking to add the effective malware into their arsenal.

eSentire's Threat Response Unit (TRU) team previously published a TRU Positive that focused on the cyber threat investigation summary of a singular incident and recommendations regarding Mars Stealer malware. However, this blogpost delves deeper into the technical details that were gathered during the research and analysis of the Mars Stealer TRU Positive.

Key Takeaways:

  • Mars Stealer is the latest version of Oski Stealer, which was discontinued in June 2020.
  • NetSupport RAT (Remote Access Tool), or client32.exe, was embedded in a ChromeSetup.exe file and used by an attacker to gain access to a victim’s workstation for further deployment of tools needed to plant Mars Stealer.
  • An executable with the original filename 3uAirPlayer was used to deploy obfuscated AutoIt scripts with Mars Stealer embedded inside and a renamed version of AutoIt to evade detections.
  • The persistence mechanism was created to make sure the attacker(s) maintain access to NetSupportManager as a backdoor.
  • Mars Stealer can self-delete itself after successfully exfiltrating the victim’s data, leaving no trace behind.

Case Study

The first mention of Mars Stealer appeared on Russian-speaking forums in June 2021 and at the time, it was being sold for $140 a month (Exhibit 1).

Exhibit 1: Advertisement on Mars Stealer


Mars Stealer allegedly ‘supports’, or is capable of, harvesting data from common browsers, crypto wallets, and two-factor authentication (2FA) and crypto extensions. Since the release of Mars Stealer, eSentire’s Threat Response Unit (TRU) team has observed a number of cracked versions being distributed by a reverse engineer who goes under the username ‘LLCPPC’. The latest version is Mars Stealer v8 (Exhibit 2).

Exhibit 2: Mars Stealer v8 advertisement


Mars Stealer has been delivered as a drive-by download via cloned websites for known software, such as Open Office. The malware is also distributed as patching software and keygens on gaming forums. In the incident observed by eSentire, the stealer was delivered via the NetSupportManager RAT.

Technical Analysis of Mars Stealer Infection

Initial Access

The initial access vector occurred when the victim visited a malicious website hosting an ISO image named ChromeSetup.iso (hxxps[:]//googleglstatupdt[.]com/LEND/ChromeSetup[.]iso).

The ISO image contained ChromeSetup.exe, which had an embedded NetSupportManager RAT and a Chrome Updater in a cabinet (CAB) archive-file format (Exhibits 3-4).

Exhibit 3: Cabinet section under RCData


Exhibit 4: Contents of the extracted CAB file


The NetSupportManager RAT was obfuscated by the attacker as ‘21m_18_033.exe’. The RAT was installed in tandem when the victim opened ChromeSetup.exe. Persistence was achieved by the RAT via a Startup LNK file through the following path:

The LNK runs the RAT under C:\Users\*\AppData\Roaming\WinSupports\client32.exe after each reboot attempt.

It is worth noting that attacks involving RATs do not usually start with the full infection chain once the user executes the initial payload. The attacker would need additional time to access the RAT and load additional payloads. In the incident we analyzed, the attacker’s movement in the network can be observed in Exhibit 5.

Exhibit 5: Infection chain


aNpRAHx.exe (original name: 3uAirPlayer.exe) was used to plant the following AutoIt scripts on the victim’s workstation under the path C:\Users\*\AppData\Local\Temp\IXP001.TMP:

The scripts were embedded within the CAB file of the executable (Exhibits 6-7)

Exhibit 6: Cabinet section under RCData (aNpRAHx.exe)


Exhibit 7: Contents of the CAB file


The AutoIt scripts were highly obfuscated. Within the aNpRAHx.exe resources, there was a POSTRUNPROGRAM section that contained the following command:

Exhibit 8: Obfuscated Fervore.wmd script


The post command execution was also responsible for running the following commands on the host:

As indicated above, vai.wmd is the script responsible for loading additional dependencies as well as Mars Stealer. The value $ARZURr holds the obfuscated Mars Stealer version (Exhibit 9). The RC4 key was derived from the following pattern:

The pattern subtracts 7 from each character that is eventually converted to ASCII format. The RC4 key to decrypt the Mars Stealer is “344868553478223918282826525”.

Exhibit 9: The hex values of the obfuscated Mars Stealer


After decrypting the binary (Exhibit 10), there appeared to be another layer of obfuscation added to the file that was decrypted during runtime.

Exhibit 10: Decrypting the binary using CyberChef


Without having to fully deobfuscate the AutoIt script, we converted the script into an executable and proceeded with debugging (Exhibit 11). We were able to extract the deobfuscated Mars Stealer executable by leveraging the debugger. It should be noted that Mars Stealer is loading its own copy of NTDLL.DLL and renames it (Exhibit 12). NTDLL.DLL is responsible for injecting Mars Stealer into explorer.exe module during the runtime (Exhibit 13-14). A similar technique was observed in Oasis Stealer and thoroughly described by a Malware Analyst, hasherezade.

Endpoint Detection and Response (EDR) uses API hooking to monitor suspicious processes in real time. It is a common practice for EDR solutions to hook the functions exported from NTDLL.DLL. The library does not rely on other DLL (Dynamic Link Library) dependencies. In addition, it is also responsible for exporting Native APIs that are often abused by malware developers. Moreover, in order to bypass the detection by EDR tools, attacker(s) will independently load a copy of NTDLL.DLL (Exhibit 15).

Exhibit 11: Credential stealing evidence from the debugger


Exhibit 12: Renamed copy of NTDLL.DLL (partially deobfuscated AutoIt script)


Exhibit 13: Mars Stealer is being injected into explorer.exe (1)


Exhibit 14: Mars Stealer is being injected into explorer.exe (2)


Exhibit 15: Custom loaded NTDLL.DLL


It is also worth noting that another executable was dropped via the remote session on the victim’s machine – consoleappmrss.exe. The executable contained an embedded file named Installer_ovl.exe, which was written in C#.

The executable connected to the shortened URL (tiny[.]one), a Discord CDN to retrieve another file named DebugViewPortable_4_90_Release_3_English_online_Auejpzlt.bmp (Exhibit 16).

Exhibit 16: The file reaches out to Discord CDN to download additional payloads


At the time of the analysis, the link to the BMP file was not accessible. We believe that the attacker(s) tried to retrieve additional payloads, but the attempt was unsuccessful.

Mars Stealer and C2 Panel Analysis

The deobfuscated Mars Stealer was written in ASM/C and approximately 162KB in size. The compilation date was March 29, 2022, which suggests that the attacker(s) modified the stealer right before shipping it onto the victim’s machine.

The stealer includes anti-debugging and anti-sandbox features:

The sample also performs anti-emulation checks for Windows Defender Antivirus on values HAL9TH and JohnDoe (Exhibit 19).

Exhibit 17: Using GetTickCount() for anti-debugging purposes


Exhibit 18: If the sample is being debugged, the running process terminates


Exhibit 19: Windows Defender Antivirus anti-emulation checks


Mars Stealer will exit if the following languages are detected (Exhibit 20):

Exhibit 20: Language check using GetUserDefaultUILanguage function


The language checks are also performed within the Mars Stealer panel (Exhibit 21).

Exhibit 21: Language check in PHP component


The strings in .RDATA section are XOR’ed (XOR or "exclusive or" is a logical operator that yields true if exactly one (not both) of two conditions is true) with different keys as shown in Exhibit 22. The first batch of decrypted strings are mostly API calls (Exhibit 23).

Exhibit 22: XOR-encoding routine


Exhibit 23: Decrypted strings (1)


From another batch of decrypted strings, we can observe the following (Exhibit 24):

  1. C2 channel
  2. Mutex value
  3. C2 channel (same as #1)
  4. DLL dependencies required for the stealer to function properly
  5. The stealer fingerprints the following information on the infected machine and outputs it to system.txt file:
    • Tag (the tag of the Stealer build)
    • Country
    • IP
    • Working Path
    • Local Time
    • Time Zone
    • Display Language
    • Keyboard Languages
    • Laptop/Desktop
    • Processor
    • Installed RAM
    • OS (Operating Systems)
    • Video card
    • Display Resolution
    • PC name
    • Username
    • Installed Software
Exhibit 24: Decrypted strings (2)


Mars Stealer avoids reinfection by looking up a Mutex value 67820366929896267194. If the host returns the code ERROR_ALREADY_EXISTS (183), the stealer quits running (Exhibit 25).

Exhibit 25: Checks if Mutex value already exists


Mars Stealer has grabber and loader capabilities. The grabber functionality allows the attacker(s) to specify what files to collect, from which paths and the maximum file size. The following constant paths allow Mars Stealer to grab a victim’s data (Exhibit 26):

Exhibit 26: Grab panel


The loader allows the attacker(s) to upload additional payloads to the infected host including the modified/upgraded version of Mars Stealer. The loader functionality has the same constant paths mentioned above. The attacker(s) can enable the “Cold Wallet” option in the Loader panel, but it only works if the infected machine stores files related to crypto wallets and plugins (Exhibit 27).

Exhibit 27: Loader panel


As a part of the configuration, the attacker(s) can set up a Telegram Bot, which is used to receive the logs from infected machines. The settings panel also allows the attacker(s) to enable the following folders/files to collect:

The attacker(s) can also choose the “Build self-delete” option to remove the stealer on the infected machine. The self-delete command is executed via command line (Exhibit 28):

Exhibit 28: Self-deletion function


It is worth mentioning that the attacker(s) can replace their cryptocurrency and 2FA authenticator extensions in the browser with the ones collected on the victim’s machine and eventually obtain access to it. Here is the list of cryptocurrency extensions the stealer collects:

Crypto wallet Extension
TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec
MetaMask
Binance Chain Wallet
nkbihfbeogaeaoehlefnkodbefgpgknn

fhbohimaelbohpjbbldcngcnapndodjp
Yoroi ffnbelfdoeiohenkjibnmadjiehjhajb
Nifty Wallet jbdaocneiiinmjbjlgalhcelgbejmnid
Math Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc
Coinbase Wallet hnfanknocfeofbddgcijnmhnfnkdnaad
Guarda hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUAL Wallet blnieiiffboillknjnepogjhkgnoapac
Jaxx Liberty cjelfplplebdjjenllpjcblmjkfcffne
BitApp Wallet fihkakfobkmkjojpchpfgcmhfjnmnfpi
iWallet kncchdigobghenbbaddojjnnaogfppfj
Wombat amkmjjmmflddogmhpjloimipbofnfjih
MEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm
GuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj
Saturn Wallet nkddgncdjgjfcddamfgcmfnlhccnimig
Ronin Wallet fnjhmkhhmkbjkkabndcnnogagogbneec
NeoLine cphhlgmgameodnhkjdmkpanlelnlohao
Clover Wallet nhnkbkgjikgcigadomkphalanndcapjk
Liquality Wallet kpfopkelmapcoipemfendmdcghnegimn
Terra Station aiifbnbfobpmeekipheeijimdpnlpgpp
Keplr dmkamcknogkgcdfhhbddcghachkejeap
Sollet fhmfendgdocmcbmfikdcogofphimnkno
Sollet fhmfendgdocmcbmfikdcogofphimnkno
Auro Wallet cnmamaachppnkjgnildpdmkaakejnhae
Polymesh Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf
ICONex flpiciilemghbmfalicajoolhkkenfel
Nabox Wallet nknhiehlklippafakaeklbeglecifhad
KHC hcflpincpppdclinealmandijcmnkbgn
Temple ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox mnfifefkajgofkcjkemidiaecocnkjeh
Cyano Wallet dkdedlpgdmmkkfjabffeganieamfklkm
Byone nlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKey infeboajgfhgbjpjbeppbkgnabfdkdaf
LeafWallet cihmoadaighcejopammfbmddcmdekcje
DAppPlay lodccjjbdhfakaekdiahmedfbieldgik
BitClip ijmpgkjfkbfhoebgogflfebnmejmfbml
Steem Keychain lkcjlnjfpbikmcmbachjpdbijejflpcm
Nash Extension onofpnbbkehpmmoabgpcpmigafmmnjhl
Hycon Lite Client bcopgchhojmggmffilplmbdicgaihlkp
ZilPay klnaejjgbibmhlephnhpmaofohgkpgkd
Coin98 Wallet aeachknmefphepccionboohckonoeemg

Below is the list of 2FA Authenticator extensions:

2FA Authenticator Extension
Authenticator bhghoamapcdpbohphigoooaddinpkbai
Authy gaedmjdfmmahhbjefcbgaolhhanlaolb
EOS Authenticator oeljdldpnmdbchonielidgobddffflal
GAuth Authenticator ilgcnhelpchnceeipipijaljkblbcobl?hl=ru
Trezor Password Manager imloifkgjagghnncjkhggdhalmcnfklk?hl=ru

Moreover, the stealer gathers the credentials and sensitive data from numerous browsers and crypto wallets (Exhibit 29).

Exhibit 29: The function responsible for gathering crypto wallet data


Supported browsers:

Internet Explorer, Microsoft Edge, Google Chrome, Chromium, Microsoft Edge (Chromium version), Kometa, Amigo, Torch, Orbitum, Comodo Dragon, Nichrome, Maxthon5, Maxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Brave Browser, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, Cyberfox, BlackHawk, IceCat, KMeleon, Thunderbird

Supported crypto wallets:

Dogecoin, Zcash, DashCore, LiteCoin, Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, Binance, Coinomi

C2 Communication

The infected machine occasionally sends the POST requests to http://162.33.178[.]122/fakeurl.htm, which is a NetSupportManager server (Exhibit 30).

Exhibit 30: POST requests of NetSupport Manager traffic

The victim then reaches out to the Mars Stealer C2 server (/request) to grab additional DLL dependencies (Exhibit 31):

Exhibit 31: The infected machine is reaching out to C2 Server to retrieve DLL components


The infected machine then sends out the collected data including RDP credentials and certificates in a ZIP archive to Mars Stealer C2 (Exhibit 32).

Exhibit 32: Exfiltrated data sent out to C2


The following is an example of the exfiltrated data and the contents of the previously mentioned system.txt file (Exhibit 33).

Exhibit 33: The contents of the exfiltrated ZIP archive including system.txt


During the analysis of Mars Stealer, we observed a number of similarities with Oski Stealer including anti-emulation and self-removal capabilities, language checks, loader, and grabber features of the stealer. The obfuscation mechanism is also identical to the previous versions of Mars Stealer: RC4 decryption key and Base64 strings. The Oski Stealer author removed the Telegram Support channel and stopped responding to requests on Oski Stealer at the end of June 2020.

eSentire’s TRU team accesses with high confidence that Mars Stealer is a successor of Oski Stealer, although it is worth noting that unlike Oski Stealer, Mars Stealer does not support Outlook data and credential exfiltration.

How eSentire is Responding

Our Threat Response Unit (TRU) team combines threat intelligence obtained from research and cybersecurity incidents to create practical outcomes for our customers. We are taking a full-scale response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against SolarMarker malware:

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various cyberattack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU team is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced cyber threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

Indicators of Compromise

Name Indicators
googleglstatupdt[.]com Hosting ChromeSetup ISO
zrianevakn1[.]com NetSupportManager RAT C2
162[.]33.178.122 NetSupportManager RAT C2
115d1ae8b95551108b3a902e48b3f163 ChromeSetup.iso
b15e0db8f65d7df27c07afe2981ff5a755666dce ChromeSetup.exe
37c24b4b6ada4250bc7c60951c5977c0 NetSupportManager RAT
5[.]45.84.214 Mars Stealer C2 (Offline)
e57756b675ae2aa07c9ec7fa52f9de33935cbc0f Mars Stealer
e3c91b6246b2b9b82cebf3700c0a7093bacaa09b Esitanza.exe.pif (renamed AutoIt)
e3c91b6246b2b9b82cebf3700c0a7093bacaa09b ANpRAHx.exe (disguised as 3uAirPlayer, drops Mars Stealer and obfuscated AutoIt scripts)
5c4e3e5fda232c31b3d2a2842c5ea23523b1de1a Installer_ovl.exe
2a2b00d0555647a6d5128b7ec87daf03a0ad568f consoleappmrss.exe
3c80b89e7d4fb08aa455ddf902a3ea236d3b582a Fervore.wmd (obfuscated AutoIt script)
26136c59afe28fc6bf1b3aeba8946ac2c3ce61df Vai.wmd (obfuscated AutoIt script, contains Mars Stealer)
e6f18804c94f2bca5a0f6154b1c56186d4642e6b Una.wmd (obfuscated AutoIt script)

Yara Rules

import "pe"

rule  MarsStealer {
    meta:
        description = "Identifies Mars Stealer malware"
        author = "eSentire TI"
        date = "04/20/2022"
        hash = "e57756b675ae2aa07c9ec7fa52f9de33935cbc0f"
    strings:
        $string1 = "C:\\ProgramData\\nss3.dll"
        $string2 = "passwords.txt" 
        $string3 = "screenshot.jpg" 
        $string4 = "*wallet*.dat" 
        $string5 = "Grabber\\%s.zip"
    condition:
        all of ($string*) and
        (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)        
}
eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire