# SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center SANS Site Network Current Site SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training InfoSec Handlers Diary Blog **isc.sans.edu/diary/rss/28468** ## Arkei Variants: From Vidar to Mars Stealer **Published: 2022-03-23** **Last Updated: 2022-03-23 01:53:45 UTC** **by** [Brad Duncan (Version: 1)](https://isc.sans.edu/handler_list.html#brad-duncan) [0 comment(s)](https://isc.sans.edu/forums/diary/Arkei+Variants+From+Vidar+to+Mars+Stealer/28468/#comments) **_Introduction_** Sometime in 2018, a new information stealer named Vidar appeared. Analysis revealed [Vidar is an information stealer that is a copycat or fork of Arkei malware. Since that time,](https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/) Vidar has led to other Arkei-based variants. Today's diary reviews Vidar and two additional variants: [Oski Stealer and](https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer) [Mars Stealer based on analysis of their infection traffic.](https://cyberint.com/blog/research/mars-stealer/) _Shown above: At least two new Arkei variants seen since Vidar in 2018._ **_Legitimate files used by Vidar, Oski, & Mars Stealer_** ----- During Vidar infections, the initial malware retrieves legitimate DLL files hosted on the same C2 server used for data exfiltration. These files are not malicious, but they are used by the Vidar malware binary. **_freebl3.dll (DLL for Thunderbird)_** **_mozglue.dll (DLL for Thunderbird)_** **_msvcp140.dll (Microsoft C runtime library)_** **_nss3.dll (DLL for Thunderbird)_** **_softokn3.dll (DLL for Thunderbird)_** **_vcruntime140.dll (Microsoft C runtime library)_** To the above list, Oski Stealer and Mars Stealer add another legitimate DLL: **_sqlite3.dll (used for SQLite operations)_** During Vidar infections, the initial malware binary requests each file from its C2 server. The image below reveals separate HTTP GET request for each of the legitimate DLL files caused by [this Vidar sample from September 2019.](https://bazaar.abuse.ch/sample/b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180/) _Shown above: Traffic from a Vidar infection in September 2019 filtered in Wireshark._ Like Vidar, Oski Stealer retrieves each of the legitimate DLL files separately. But Oski does not use the file names in its URLs for the DLLs. Traffic generated by this Oski Stealer sample from January 2022 is shown below. _Shown above: Traffic caused by an Oski Stealer infection in January 2022 filtered in_ _Wireshark._ ----- [Malware advertised in underground forums as Mars Stealer started to appear in 2021.](https://cyberint.com/blog/research/mars-stealer/) [Current samples of Mars Stealer (like this one) retrieve legitimate DLL files as a single zip](https://bazaar.abuse.ch/sample/7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625/) archive. See the next three images for details. _Shown above: Traffic caused by a Mars Stealer infection in March 2022 filtered in_ _Wireshark._ _Shown above: TCP stream showing zip archive retrieved by the Mars Stealer binary._ If we retrieve the zip archive from Mars Stealer traffic, we can extract the individual files from that zip archive as shown below. ----- _Shown above: Files from zip archive retrieved by Mars Stealer._ **_Data Exfiltration_** Data exfiltration has evolved from Vidar to Oski Stealer to Mars Stealer. All three types of malware send a zip archive containing data stolen from the infected Windows host. But the patterns have changed. Below are images that illustrate the HTTP POST requests that send stolen data to their C2 servers. Arrows highlight the zip archives. ----- _Shown above: Data exfiltration from a Vidar infection in September 2019 (part 1 of 2)._ ----- _Shown above: Data exfiltration from a Vidar infection in September 2019 (part 2 of 2)._ ----- _Shown above: Data exfiltration from an Oski Stealer infection in January 2022._ ----- _Shown above: Data exfiltration from a Mars Stealer infection in March 2022._ The content of zip archives posted by Vidar, Oski Stealer, and Mars Stealer has also evolved. See the images below for details. ----- _Shown above: Contents of zip archive sent during a Vidar infection in September 2019._ _Shown above: Contents of zip archive sent during a Vidar infection in January 2022._ ----- _Shown above: Contents of zip archive sent during a Vidar infection in March 2022._ **_Indicators of Compromise (IOCs)_** Below are the three malware samples used for today's diary: [b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180 (Vidar)](https://bazaar.abuse.ch/sample/b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180/) [c30ce79d7b5b0708dc03f1532fa89afd4efd732531cb557dc31fe63acd5bc1ce (Oski](https://bazaar.abuse.ch/sample/c30ce79d7b5b0708dc03f1532fa89afd4efd732531cb557dc31fe63acd5bc1ce/) Stealer) [7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625 (Mars](https://bazaar.abuse.ch/sample/7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625/) Stealer) Below are C2 domains used by the above samples: 104.200.67[.]209 port 80 - dersed[.]com - Vidar C2 in September 2019 2.56.57[.]108 port 80 - 2.56.57[.]108 - Oski Stealer C2 in January 2022 5.63.155[.]126 port 80 - sughicent[.]com - Mars Stealer C2 in March 2022 **_References_** [Let's dig into Vidar - An Arkei Copycat/Forked Stealer (In-depth analysis)](https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/) [Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer](https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer) [Like Father Like Son? New Mars Stealer](https://cyberint.com/blog/research/mars-stealer/) **_Final Words_** ----- In recent weeks, Hancitor infections have been pushing Mars Stealer EXE files as follow-up malware. However, Mars Stealer can be distributed through other methods. Although it's not as widely-distributed as other malware like Qakbot or Emotet, Mars Stealer is a noticeable part of our current threat landscape. --Brad Duncan brad [at] malware-traffic-analysis.net [Keywords: Oski](https://isc.sans.edu/tag.html?tag=Oski) [Oski Stealer](https://isc.sans.edu/tag.html?tag=Oski%20Stealer) [Malware](https://isc.sans.edu/tag.html?tag=Malware) [Information Stealer](https://isc.sans.edu/tag.html?tag=Information%20Stealer) [Mars Stealer](https://isc.sans.edu/tag.html?tag=Mars%20Stealer) [Arkei](https://isc.sans.edu/tag.html?tag=Arkei) [Vidar](https://isc.sans.edu/tag.html?tag=Vidar) [0 comment(s)](https://isc.sans.edu/forums/diary/Arkei+Variants+From+Vidar+to+Mars+Stealer/28468/) Join us at SANS! Attend [with Brad Duncan in starting](https://isc.sans.edu/diary/rss/28468) Top of page × [Diary Archives](https://isc.sans.edu/diaryarchive.html) -----