eSentire Threat Intelligence Malware Analysis: Mars Stealer

Mars Stealer is an information-stealing malware that first appeared on hacking forums in June 2021, a year after its predecessor Oski Stealer was discontinued in June 2020. Mars Stealer can target or ‘support’ over 50 crypto wallets and extensions, is multi-functional, and avoids detection. In addition, it’s low price on the malware market has generated significant attention from threat actor(s) who are looking to add the effective malware into their arsenal.

eSentire's Threat Response Unit (TRU) team previously published a TRU Positive that focused on the cyber threat investigation summary of a singular incident and recommendations regarding Mars Stealer malware. However, this blogpost delves deeper into the technical details that were gathered during the research and analysis of the Mars Stealer TRU Positive.

Case Study

The first mention of Mars Stealer appeared on Russian-speaking forums in June 2021 and at the time, it was being sold for $140 a month (Exhibit 1).

Mars Stealer allegedly ‘supports’, or is capable of, harvesting data from common browsers, crypto wallets, and two-factor authentication (2FA) and crypto extensions. Since the release of Mars Stealer, eSentire’s Threat Response Unit (TRU) team has observed a number of cracked versions being distributed by a reverse engineer who goes under the username ‘LLCPPC’. The latest version is Mars Stealer v8 (Exhibit 2).

Mars Stealer has been delivered as a drive-by download via cloned websites for known software, such as Open Office. The malware is also distributed as patching software and keygens on gaming forums. In the incident observed by eSentire, the stealer was delivered via the NetSupportManager RAT.

Technical Analysis of Mars Stealer Infection

Initial Access

The initial access vector occurred when the victim visited a malicious website hosting an ISO image named ChromeSetup.iso (hxxps[:]//googleglstatupdt[.]com/LEND/ChromeSetup[.]iso).

The ISO image contained ChromeSetup.exe, which had an embedded NetSupportManager RAT and a Chrome Updater in a cabinet (CAB) archive-file format (Exhibits 3-4).

The NetSupportManager RAT was obfuscated by the attacker as ‘21m_18_033.exe’. The RAT was installed in tandem when the victim opened ChromeSetup.exe. Persistence was achieved by the RAT via a Startup LNK file through the following path:

• c:\users\*\appdata\roaming\microsoft\windows\start menu\programs\startup\autorunings.ini.lnk

The LNK runs the RAT under C:\Users\*\AppData\Roaming\WinSupports\client32.exe after each reboot attempt.

It is worth noting that attacks involving RATs do not usually start with the full infection chain once the user executes the initial payload. The attacker would need additional time to access the RAT and load additional payloads. In the incident we analyzed, the attacker’s movement in the network can be observed in Exhibit 5.

aNpRAHx.exe (original name: 3uAirPlayer.exe) was used to plant the following AutoIt scripts on the victim’s workstation under the path C:\Users\*\AppData\Local\Temp\IXP001.TMP:

• una.wmd
• fervore.wmd
• vai.wmd

The scripts were embedded within the CAB file of the executable (Exhibits 6-7)

The AutoIt scripts were highly obfuscated. Within the aNpRAHx.exe resources, there was a POSTRUNPROGRAM section that contained the following command:

• Esitanza.exe.pif: the renamed AutoIt program
• una.wmd: the script responsible for dropping Esitanza.exe
• vai.wmd: the core script that contains Mars Stealer, its dependencies, and the copy of a NTDLL.DLL file

The post command execution was also responsible for running the following commands on the host:

• find /I /N "bullguardcore.exe"
• find /I /N "psuaservice.exe”
• findstr /V /R "^UzERaIroWGYHeuAyIPBJMSUyDIptkdLqzqzZHgBHJNQEeOwczSBTavTwnmhKnZWGVYgwNAnxhUZYefrOGNKzOSHWiaAoqRoKRlJtmqISxiFnvUZpcnrKgDSedaU$" Una.wmd
• tasklist /FI "imagename eq BullGuardCore.exe”
• tasklist /FI "imagename eq PSUAService.exe"

As indicated above, vai.wmd is the script responsible for loading additional dependencies as well as Mars Stealer. The value $ARZURr holds the obfuscated Mars Stealer version (Exhibit 9). The RC4 key was derived from the following pattern:

• Binary(MRPvnDnroX("58}59}59}63}61}63}60}60}58}59}62}63}57}57}58}64}56}63}57}63}57}63}57}61}60}57}60",7)))))

The pattern subtracts 7 from each character that is eventually converted to ASCII format. The RC4 key to decrypt the Mars Stealer is “344868553478223918282826525”.

After decrypting the binary (Exhibit 10), there appeared to be another layer of obfuscation added to the file that was decrypted during runtime.

Without having to fully deobfuscate the AutoIt script, we converted the script into an executable and proceeded with debugging (Exhibit 11). We were able to extract the deobfuscated Mars Stealer executable by leveraging the debugger. It should be noted that Mars Stealer is loading its own copy of NTDLL.DLL and renames it (Exhibit 12). NTDLL.DLL is responsible for injecting Mars Stealer into explorer.exe module during the runtime (Exhibit 13-14). A similar technique was observed in Oasis Stealer and thoroughly described by a Malware Analyst, hasherezade.

Endpoint Detection and Response (EDR) uses API hooking to monitor suspicious processes in real time. It is a common practice for EDR solutions to hook the functions exported from NTDLL.DLL. The library does not rely on other DLL (Dynamic Link Library) dependencies. In addition, it is also responsible for exporting Native APIs that are often abused by malware developers. Moreover, in order to bypass the detection by EDR tools, attacker(s) will independently load a copy of NTDLL.DLL (Exhibit 15).

It is also worth noting that another executable was dropped via the remote session on the victim’s machine – consoleappmrss.exe. The executable contained an embedded file named Installer_ovl.exe, which was written in C#.

The executable connected to the shortened URL (tiny[.]one), a Discord CDN to retrieve another file named DebugViewPortable_4_90_Release_3_English_online_Auejpzlt.bmp (Exhibit 16).

At the time of the analysis, the link to the BMP file was not accessible. We believe that the attacker(s) tried to retrieve additional payloads, but the attempt was unsuccessful.

Mars Stealer and C2 Panel Analysis

The deobfuscated Mars Stealer was written in ASM/C and approximately 162KB in size. The compilation date was March 29, 2022, which suggests that the attacker(s) modified the stealer right before shipping it onto the victim’s machine.

The stealer includes anti-debugging and anti-sandbox features:

• For anti-debugging purposes, it manually checks the PEB (Process Environment Block) for BeingDebugged flag.
• For anti-sandboxing, the stealer sleeps for 16000 milliseconds (about 16 seconds) and calls GetTickCount API (Exhibit 17) to retrieve the number of milliseconds that have passed since the system was started and the number of milliseconds of the current running time.
  • Both values get subtracted and are compared to 12000 milliseconds (about 12 seconds).
  • If the value is less than 12000, it means that the Sleep function was skipped by the debugger or sandbox, and the sample exits (Exhibit 18).

The sample also performs anti-emulation checks for Windows Defender Antivirus on values HAL9TH and JohnDoe (Exhibit 19).

Mars Stealer will exit if the following languages are detected (Exhibit 20):

• Uzbekistan
• Azerbaijan
• Kazakhstan
• Russia
• Belarus

The language checks are also performed within the Mars Stealer panel (Exhibit 21).

The strings in .RDATA section are XOR’ed (XOR or "exclusive or" is a logical operator that yields true if exactly one (not both) of two conditions is true) with different keys as shown in Exhibit 22. The first batch of decrypted strings are mostly API calls (Exhibit 23).

From another batch of decrypted strings, we can observe the following (Exhibit 24):

1. C2 channel
2. Mutex value
3. C2 channel (same as #1)
4. DLL dependencies required for the stealer to function properly
5. The stealer fingerprints the following information on the infected machine and outputs it to system.txt file:
   • Tag (the tag of the Stealer build)
   • Country
   • IP
   • Working Path
   • Local Time
   • Time Zone
   • Display Language
   • Keyboard Languages
   • Laptop/Desktop
   • Processor
   • Installed RAM
   • OS (Operating Systems)
   • Video card
   • Display Resolution
   • PC name
   • Username
   • Installed Software

Mars Stealer avoids reinfection by looking up a Mutex value 67820366929896267194. If the host returns the code ERROR_ALREADY_EXISTS (183), the stealer quits running (Exhibit 25).

Mars Stealer has grabber and loader capabilities. The grabber functionality allows the attacker(s) to specify what files to collect, from which paths and the maximum file size. The following constant paths allow Mars Stealer to grab a victim’s data (Exhibit 26):

• %DESKTOP%
• %APPDATA% - path to Roaming folder (C:\Users\*user*\AppData\Roaming)
• %LOCALAPPDATA% - path to Local folder (C:\Users\*user*\AppData\Local)
• %USERPROFILE% - path to User’s folder (C:\Users\*user*\)

The loader allows the attacker(s) to upload additional payloads to the infected host including the modified/upgraded version of Mars Stealer. The loader functionality has the same constant paths mentioned above. The attacker(s) can enable the “Cold Wallet” option in the Loader panel, but it only works if the infected machine stores files related to crypto wallets and plugins (Exhibit 27).

As a part of the configuration, the attacker(s) can set up a Telegram Bot, which is used to receive the logs from infected machines. The settings panel also allows the attacker(s) to enable the following folders/files to collect:

• Downloads
• History
• Autofill (passwords, payment methods, addresses, etc.)
• Screenshot
• Discord

The attacker(s) can also choose the “Build self-delete” option to remove the stealer on the infected machine. The self-delete command is executed via command line (Exhibit 28):

• /c timeout /t 5 & del /f /q "%s" & exit

It is worth mentioning that the attacker(s) can replace their cryptocurrency and 2FA authenticator extensions in the browser with the ones collected on the victim’s machine and eventually obtain access to it. Here is the list of cryptocurrency extensions the stealer collects:

Below is the list of 2FA Authenticator extensions:

Moreover, the stealer gathers the credentials and sensitive data from numerous browsers and crypto wallets (Exhibit 29).

Supported browsers:

Internet Explorer, Microsoft Edge, Google Chrome, Chromium, Microsoft Edge (Chromium version), Kometa, Amigo, Torch, Orbitum, Comodo Dragon, Nichrome, Maxthon5, Maxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Brave Browser, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, Cyberfox, BlackHawk, IceCat, KMeleon, Thunderbird

Supported crypto wallets:

Dogecoin, Zcash, DashCore, LiteCoin, Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, Binance, Coinomi

C2 Communication

The infected machine occasionally sends the POST requests to http://162.33.178[.]122/fakeurl.htm, which is a NetSupportManager server (Exhibit 30).

The victim then reaches out to the Mars Stealer C2 server (/request) to grab additional DLL dependencies (Exhibit 31):

• softokn3.dll (Mozilla Firefox Library)
• sqlite3.dll (used for SQLite database)
• vcruntime140.dll (Microsoft Visual Studio runtime library)
• freebl3.dll (Mozilla NSS freebl Library)
• mozglue.dll (Mozilla Firefox Library)
• msvcp140.dll (Microsoft Visual Studio runtime library)
• nss3.dll (Network Security Services Mozilla Firefox Library)

The infected machine then sends out the collected data including RDP credentials and certificates in a ZIP archive to Mars Stealer C2 (Exhibit 32).

The following is an example of the exfiltrated data and the contents of the previously mentioned system.txt file (Exhibit 33).

During the analysis of Mars Stealer, we observed a number of similarities with Oski Stealer including anti-emulation and self-removal capabilities, language checks, loader, and grabber features of the stealer. The obfuscation mechanism is also identical to the previous versions of Mars Stealer: RC4 decryption key and Base64 strings. The Oski Stealer author removed the Telegram Support channel and stopped responding to requests on Oski Stealer at the end of June 2020.

eSentire’s TRU team accesses with high confidence that Mars Stealer is a successor of Oski Stealer, although it is worth noting that unlike Oski Stealer, Mars Stealer does not support Outlook data and credential exfiltration.

How eSentire is Responding

Our Threat Response Unit (TRU) team combines threat intelligence obtained from research and cybersecurity incidents to create practical outcomes for our customers. We are taking a full-scale response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

• Implementing cyber threat detections to identify malicious command execution, usage of renamed tools and ensure that eSentire has visibility and detections are in place across eSentire MDR for Endpoint and MDR for Network.
• Performing global cyber threat hunts for indicators associated with Mars Stealer.

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against SolarMarker malware:

• Implement a Phishing and Security Awareness Training (PSAT) program that educates and informs employees on emerging threats in the threat landscape.
• Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
• Prevent web browsers from automatically saving and storing passwords. It is recommended to use password managers instead.
• Enable multi-factor authentication whenever it is applicable.

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various cyberattack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU team is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced cyber threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

• https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer
• https://blog.morphisec.com/threat-research-mars-stealer
• https://cyberint.com/blog/research/mars-stealer/
• https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer
• https://docs.microsoft.com/en-us/windows/win32/api
• https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis
• https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/

Indicators of Compromise

Yara Rules

import "pe"

rule  MarsStealer {
    meta:
        description = "Identifies Mars Stealer malware"
        author = "eSentire TI"
        date = "04/20/2022"
        hash = "e57756b675ae2aa07c9ec7fa52f9de33935cbc0f"
    strings:
        $string1 = "C:\\ProgramData\\nss3.dll"
        $string2 = "passwords.txt" 
        $string3 = "screenshot.jpg" 
        $string4 = "*wallet*.dat" 
        $string5 = "Grabber\\%s.zip"
    condition:
        all of ($string*) and
        (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)        
}