Do you remember the Oski malware that suddenly disappeared in July 2020? Anyway, it is back in the form of Mars Stealer, which is a new and powerful version of Oski. Without further ado, let’s dive into it.
Dive into details
As the name suggests, Mars Stealer steals information from all renowned web browsers, various cryptocurrency wallets and extensions, and 2FA plugins. It is written in ASM/C using WinApi and leverages special techniques to conceal WinApi calls, gather information in the memory, support secure SSL connection with C2, and encrypt strings. In addition to this, Mars Stealer pilfers files from infected systems and has its own loader to reduce the infection footprint. The operators, however, have excluded Outlook from their target app list but experts believe that it may be included in future versions.
Why is it dangerous?
The malware size is a meager 95KB and evades detection by using Base64 and RC4 for string encryption.
All connections to the C2 are encrypted.
Furthermore, Mars Stealer includes Sleep function intervals to conduct timing checks. This ensures a mismatch occurs if a debugger is used.
The malware can also remove itself after stealing all user data or if and when the operator decides to delete it.
Interesting feature
Mars Stealer checks if a user is located in countries part of the Commonwealth of Independent States, a common feature among Russian-based malware.
If the victim’s system language ID matches Russia, Kazakhstan, Belarus, Uzbekistan, and Azerbaijan, it will wipe itself without causing any harm.
Moreover, if the malware’s compilation date is older than a month than the system time, it makes an exit.
The bottom line
At this time, Mars Stealer is being sold for $140 to $160 on hacking forums and hence, it is suspected that a lot of threat actors will get their hands on it to perform malicious activities. It is capable of causing massive headaches to its victims in the form of identity theft, cryptocurrency losses, privacy issues, and system infections.