A powerful infostealer malware named Mars Stealer is being offered to cybercriminals on Russian-speaking hacker forums. The threat actor can either buy the base version of the Mars Stealer for $140 or opt to pay $20 more and get the extended variant. Thanks to an analysis performed by the security researcher @3xp0rt, it was determined that, for the most part, the Mars Stealer is a redesign of a similar malware named Oski that had its development shut down in the middle of 2020 abruptly.
The Mars Stealer can target over 100 different applications and obtain sensitive private information from them. First, a custom grabber fetches the threat's configuration from the Command-and-Control (C2, C&C) server of the operation. Afterward, the Mars Stealer will extract data from the most popular Web browsers, 2FA (Two-Factor Authentication) applications, crypto extensions and crypto-wallets.
Among the affected applications are Chrome, Internet Explorer, Edge (Chromium Version), Opera, Sputnik Browser, Vivaldi, Brave, Firefox, Authenticator, GAuth Authenticator, MetaMAsk, Binance, Coinbase Wallet, Coinomi, Bitcoin Core and its derivatives, Ethereum, Electrum and many more. Additional system information also is captured and exfiltrated by the threat. These details include the IP address, country, Local time and time zone, language, keyboard layout, user name, domain computer name, Machine ID, GUID, software installed on the device, etc.
Anti-Detection and Evasion Techniques
The Mars Stealer is designed to minimize its footprint on infected devices. The threat is equipped with a custom wiper that can be activated after the targeted data has been collected or whenever the attackers decide to do so. To make detection more difficult, the malware utilizes routines tasked with hiding its API calls, as well as strong encryption with a combination of RC4 and Base64. Furthermore, communication with the C2 is done via the SSL (Secure Sockets Layer) protocol and is therefore also encrypted.
The Mars Stealer performs several checks and if certain parameters are met, the threat will not activate. For example, if the language ID of the breached device matches any of the following countries - Russia, Azerbaijan, Belarus, Uzbekistan, and Kazakhstan, the Mars Stealer will terminate its execution. The same also will happen if the compilation date is older than a month from the system time.