Introduction

On approximately July 2, 2020, Oski support has stopped contacting customers and deleted a telegram account and bot. This was supposed to attract attention because such large projects don’t just go away (for example KPOT Stealer and Predator The Thief).

When I found a sample of Mars Stealer, I noticed that it’s just an improved copy of Oski Stealer. As I expected at the last time Mars is gaining popularity, therefore I decided to write a technical analysis of this newcomer. Enjoy reading!

Technical overview

Mars Stealer written in ASM/C with using WinApi, weight is 95 kb. Uses special techniques to hide WinApi calls, encrypts strings, collects information in the memory, supports secured SSL-connection with C&C, doesn’t use CRT, STD.

Browsers (supports Chrome V80):

  • Internet Explorer, Microsoft Edge (Chromium Version), Kometa, Amigo, Torch, Orbitium, Comodo Dragon, Nichrome, Maxxthon5, Maxxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Brave, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, CyberFox, BlackHawk, IceCat, K-Meleon, Thunderbird.

Crypto extensions:

  • TronLink, MetaMask, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaox Liberty, BitAppWllet, iWallet, Wombat, MEW CX, Guild Wallet, Saturn Wallet, Ronin Wallet, Neoline, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox Cyano Wallet, Byone, OneKey, Leaf Wallet, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite Client, ZilPay, Coin98 Wallet.

2FA plugins:

  • Authenticator, Authy, EOS Authenticator, GAuth Authenticator, Trezor Password Manager.

Crypto wallets:

  • Bitcoin Core and all derivatives (Dogecoin, Zcash, DashCore, LiteCoin, etc), Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, Binance, Coinomi.

Computer information:

  • IP and country
  • Working path to EXE file
  • Local time and time zone
  • Language system
  • Language keyboard layout
  • Notebook or desktop
  • Processor model
  • Computer name
  • User name
  • Domain computer name
  • Machine ID
  • GUID
  • Installed software and their versions

Additional functional:

  • Files grabber
  • Loader

Obfuscation techniques

Strings encryption

Most strings are encrypted using combinations of RC4 and Base64. The decryption key of RC4 is stored in the decrypt_key variable that was declared in the Run-Time Dynamic Linking function. In this case, the decryption key is 86223203794583053453.

Anti-analysis techniques

Run-Time Dynamic Linking

The first called function from WinMain declares decryption key for encrypted strings and unencrypted strings, which contain names of WinApi functions for Run-Time Dynamic Linking.

Mars gets a module handle of kernel32.dll by parsing InLoadOrderModuleList which usually contains kernel32 library as its 3rd element (0x18 address). After obtaining the base address of kernel32.dll, it parses the PE file and loops over the exported functions of the DLL to get the address of the LoadLibaryA() and GetProcAddress() functions.

After procedures with kernel32 functions, LoadLibraryA() loads advapi32.dll library and gets the address of the GetUserNameA() for anti-emulation check. The same thing program does with crypt32.dll and gets the address of CryptStringToBinaryA() for strings decryption.

Timing-based anti-debug

Malware initializes a double word (4 bytes) and calls the GetTickCount() function that returns the number of milliseconds that have elapsed since the system has started. Then calls the Sleep() to suspend the execution of the current thread until 15000 milliseconds (15 seconds). GetTickCount() again gets the time and malware uses the first result to subtract then checks if a gotten number is greater than 10000 milliseconds (10 seconds). If the function returns true, it means that the Sleep() hasn’t been skipped by the debugger and malware continues execution flow.

Anti-emulation

Anti-emulation is used to avoid running in the Windows Defender emulator. Malware compares the current computer name with HAL9TH and the username with JohnDoe. If the computer name and username have coincided, the malware finishes execution.

Security checks

Anti-CIS

This feature is used to avoid infection of machines from the Commonwealth of Independent States (CIS) by using GetUserDefaultLangID() that returns the language identifier of the region format setting for the current user. If the user language ID matches one from the list, the stealer finishes execution.

Language ID Language-tag Country
0x43F kk-KZ Kazakhstan
0x443 us-Latb-US Uzbekistan
0x82C az-Cyrl-AZ Azerbaijan
0x43Fu kk-KZ Kazakhstan
0x419u ru-RU Russia
0x423u ru-BY Belarus

Mutex

If all checks have passed, the malware creates a mutex object using CreateMutexA() to avoid repeat launch. Mutex name is the same as a strings decryption key, but they are stored in different variables. Then calls GetLastError() which gets the last error, and if the error code is equal to 183 (ERROR_ALREADY_EXIST) it means that mutex already exists therefore malware finishes execution.

Expiration check

The compilation_date variable contains 28/08/2021 00:00:00. The month on this date has increased by 1 unit, so malware can’t run after a month of compilation. Accordingly, this sample was compiled not on 28/08/2021, but on 28/07/2021.

Mars uses GetSystemTime() to put current system time to a struct, then calls sscanf() to parse the compilation date. SystemTimeToFileTime() is used to convert the current date and compilation date from system time to file time format.

If the current file time is bigger than the compile time, the malware calls `ExitProcess()` to finish the process.

External DLLs

When stealing Gecko browsers credentials, the malware makes 6 requests using WinINet libary to download dependencies from the public folder and saves them in the ProgramData folder, but sqlite3.dll is downloading before chrome stealing starts. At the end of execution, malware deletes mentioned DLLs and finishes execution.

DLL name Download url Save path Description
sqlite3.dll http://cookreceipts.fun/public/sqlite3.dll C:\ProgramData\sqlite3.dll Libary for chromium data
freebl3.dll http://cookreceipts.fun/public/freebl3.dll C:\ProgramData\freebl3.dll Library for the NSS (Gecko-based)
mozglue.dll http://cookreceipts.fun/public/mozglue.dll C:\ProgramData\mozglue.dll Mozilla Browser Library
msvcp140.dll http://cookreceipts.fun/public/msvcp140.dll C:\ProgramData\msvcp140.dll Visual C++ Runtime 2015
nss3.dll http://cookreceipts.fun/public/nss3.dll C:\ProgramData\nss3.dll Network System Services Library (Gecko-based)
softokn3.dll http://cookreceipts.fun/public/softokn3.dll C:\ProgramData\softokn3.dll Mozilla Browser Library
vcruntime140.dll http://cookreceipts.fun/public/vcruntime140.dll C:\ProgramData\vcruntime140.dll Visual C++ Runtime 2015

Stealing functional

Browsers

Mars steals credentials from Chromium and Gecko browsers by static paths, therefore it supports only the most popular.

Browser name Browser folder
Chrome %localappdata%\Google\Chrome\User Data
Chromium %localappdata%\Chromium\User Data
Microsoft Edge %localappdata%\Microsoft\Edge\User Data
Kometa %localappdata%\Kometa\User Data
Amigo %localappdata%\Amigo\User Data
Torch %localappdata%\Torch\User Data
Orbitum %localappdata%\Orbitum\User Data
Comodo %localappdata%\Comodo\Dragon\User Data
Nichrome %localappdata%\Nichrome\User Data
Maxthon5 %localappdata%\Maxthon5\Users
Sputnik %localappdata%\Sputnik\User Data
Epic Privacy Browser %localappdata%\Epic Privacy Browser\User Data
Vivaldi %localappdata%\Vivaldi\User Data
CocCoc %localappdata%\CocCoc\Browser\User Data
Uran %localappdata%\uCozMedia\Uran\User Data
QIP Surf %localappdata%\QIP Surf\User Data
Cent Browser %localappdata%\CentBrowser\User Data
Elements Browser %localappdata%\Elements Browser\User Data
TorBro %localappdata%\TorBro\Profile
CryptoTab Browser %localappdata%\CryptoTab Browser\User Data
Brave %localappdata%\BraveSoftware\Brave-Browser\User Data
Opera %appdata%\Opera Software\Opera Stable\
Opera GX %appdata%\Opera Software\Opera GX Stable\
Opera Neon %appdata%\Opera Software\Opera Neon\User Data
Firefox %appdata%\Mozilla\Firefox\Profiles\
SlimBrowser %appdata%\FlashPeak\SlimBrowser\Profiles
Pale Moon %appdata%\Moonchild Productions\Pale Moon\Profiles\
Waterfox %appdata%\Waterfox\Profiles\
Cyberfox %appdata%\8pecxstudios\Cyberfox\Profiles\
BlackHawk %appdata%\NETGATE Technologies\BlackHawk\Profiles\
IceCat %appdata%\Mozilla\icecat\Profiles\
K-Meleon %appdata%\K-Meleon\
Thunderbird %appdata%\Thunderbird\Profiles\
2FA/crypto extensions

This malware also targets 2FA and crypto extensions, but only in Chromium-based browsers (opera is an exception).

Type Extension name Extension id
Crypto TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec
Crypto MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn
Crypto Binance Chain Wallet fhbohimaelbohpjbbldcngcnapndodjp
Crypto Yoroi ffnbelfdoeiohenkjibnmadjiehjhajb
Crypto Nifty Wallet jbdaocneiiinmjbjlgalhcelgbejmnid
Crypto Math Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc
Crypto Coinbase Wallet hnfanknocfeofbddgcijnmhnfnkdnaad
Crypto Guarda hpglfhgfnhbgpjdenjgmdgoeiappafln
Crypto EQUAL Wallet blnieiiffboillknjnepogjhkgnoapac
Crypto Jaxx Liberty cjelfplplebdjjenllpjcblmjkfcffne
Crypto BitApp Wallet fihkakfobkmkjojpchpfgcmhfjnmnfpi
Crypto iWallet kncchdigobghenbbaddojjnnaogfppfj
Crypto Wombat amkmjjmmflddogmhpjloimipbofnfjih
Crypto MEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm
Crypto GuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj
Crypto Saturn Wallet nkddgncdjgjfcddamfgcmfnlhccnimig
Crypto Ronin Wallet fnjhmkhhmkbjkkabndcnnogagogbneec
Crypto NeoLine cphhlgmgameodnhkjdmkpanlelnlohao
Crypto Clover Wallet nhnkbkgjikgcigadomkphalanndcapjk
Crypto Liquality Wallet kpfopkelmapcoipemfendmdcghnegimn
Crypto Terra Station aiifbnbfobpmeekipheeijimdpnlpgpp
Crypto Keplr dmkamcknogkgcdfhhbddcghachkejeap
Crypto Sollet fhmfendgdocmcbmfikdcogofphimnkno
Crypto Auro Wallet cnmamaachppnkjgnildpdmkaakejnhae
Crypto Polymesh Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf
Crypto ICONex flpiciilemghbmfalicajoolhkkenfel
Crypto Nabox Wallet nknhiehlklippafakaeklbeglecifhad
Crypto KHC hcflpincpppdclinealmandijcmnkbgn
Crypto Temple ookjlbkiijinhpmnjffcofjonbfbgaoc
Crypto TezBox mnfifefkajgofkcjkemidiaecocnkjeh
Crypto Cyano Wallet dkdedlpgdmmkkfjabffeganieamfklkm
Crypto Byone nlgbhdfgdhgbiamfdfmbikcdghidoadd
Crypto OneKey infeboajgfhgbjpjbeppbkgnabfdkdaf
Crypto LeafWallet cihmoadaighcejopammfbmddcmdekcje
Crypto DAppPlay lodccjjbdhfakaekdiahmedfbieldgik
Crypto BitClip ijmpgkjfkbfhoebgogflfebnmejmfbml
Crypto Steem Keychain lkcjlnjfpbikmcmbachjpdbijejflpcm
Crypto Nash Extension onofpnbbkehpmmoabgpcpmigafmmnjhl
Crypto Hycon Lite Client bcopgchhojmggmffilplmbdicgaihlkp
Crypto ZilPay klnaejjgbibmhlephnhpmaofohgkpgkd
Crypto Coin98 Wallet aeachknmefphepccionboohckonoeemg
2FA Authenticator bhghoamapcdpbohphigoooaddinpkbai
2FA Authy gaedmjdfmmahhbjefcbgaolhhanlaolb
2FA EOS Authenticator oeljdldpnmdbchonielidgobddffflal
2FA GAuth Authenticator ilgcnhelpchnceeipipijaljkblbcobl
2FA Trezor Password Manager imloifkgjagghnncjkhggdhalmcnfklk

Wallets

The malware targets multiple wallets, which stores sensitive data in files as wallet.dat that contains the address, the private key to access this address, and other data.

Wallet name Wallet folder Regex
Ethereum %appdata%\Ethereum\ keystore
Electrum %appdata%\Electrum\wallets\ .
Electrum LTC %appdata%\Electrum-LTC\wallets\ .
Exodus %appdata%\Exodus\ exodus.conf.json, window-state.json, \Exodus\exodus.wallet\, passphrase.json, seed.seco, info.seco
Electron Cash %appdata%\ElectronCash\wallets\ default_wallet
MultiDoge %appdata%\MultiDoge\ multidoge.wallet
Jaxx %appdata%\jaxx\Local Storage\ file__0.localstorage
Atomic %appdata%\atomic\Local Storage\leveldb\ 000003.log, CURRENT, LOCK, LOG, MANIFEST.000001, 0000*
Binance %appdata%\Binance\ app-store.json
Coinomi %localappdata%\Coinomi\Coinomi\wallets\ *.wallet, *.config

Grabber

Mars has a custom grabber with multiple functions. First, the malware makes a request to C&C and gets config as a response. Grabber config looks like this name|max_size|path|formats|recursively|. Then uses setup_grabber() which use strtok() with lstrcatA() to parse grabber config and calls grabber() which performs grabbing.

Loader

Malware gets loader config as the response while uploading log. This config looks like this link|load_to|startup_param| (download link, path to a loaded file, start-up parameters).

To download file stealer calls download_file() function. Then uses strtok() with lstrcatA() to parse config parameters and calls ShellExecuteExA() to execute executable.

Self-removal

Malware gets the way to itself by using GetModuleFileName() and calls ShellExecuteExA() which executes cmd.exe with /c timeout /t 5 & del /f /q \"%s\" & exit parameters. After 5 seconds cmd.exe deletes current executable.

Conclusion

Mars Stealer it’s an improved version of Oski Stealer. Have been added anti-debug check, crypto extensions stealing, but outlook stealing is missing. The code has been refactoring, but some algorithms remained stupid as in Oski Stealer. Here you can read detailed Oski Stealer analysis from CyberArk.

IOCs

Related tweets: 1 2

6143734a8c9cae36bfde4f4b67f3c604 VirusTotal Bazaar

cookreceipts[.]fun VirusTotal Urlhaus