# Mars Stealer: Oski refactoring **3xp0rt.com/posts/mars-stealer** 3xp0rt February 1, 2022 Feb 1, 2022 ## Introduction On approximately July 2, 2020, Oski support has stopped contacting customers and deleted a telegram account and bot. This was supposed to attract attention because such large projects don’t just go away (for example KPOT Stealer and Predator The Thief). When I found a sample of Mars Stealer, I noticed that it’s just an improved copy of Oski Stealer. As I expected at the last time Mars is gaining popularity, therefore I decided to write a technical analysis of this newcomer. Enjoy reading! ## Technical overview Mars Stealer written in ASM/C with using WinApi, weight is 95 kb. Uses special techniques to hide WinApi calls, encrypts strings, collects information in the memory, supports secured SSL-connection with C&C, doesn’t use CRT, STD. Browsers (supports Chrome V80): Internet Explorer, Microsoft Edge (Chromium Version), Kometa, Amigo, Torch, Orbitium, Comodo Dragon, Nichrome, Maxxthon5, Maxxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Brave, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, CyberFox, BlackHawk, IceCat, KMeleon, Thunderbird. Crypto extensions: TronLink, MetaMask, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaox Liberty, BitAppWllet, iWallet, Wombat, MEW CX, Guild Wallet, Saturn Wallet, Ronin Wallet, Neoline, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox Cyano Wallet, Byone, OneKey, Leaf Wallet, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite Client, ZilPay, Coin98 Wallet. 2FA plugins: Authenticator, Authy, EOS Authenticator, GAuth Authenticator, Trezor Password Manager. Crypto wallets: Bitcoin Core and all derivatives (Dogecoin, Zcash, DashCore, LiteCoin, etc), Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, Binance, Coinomi. Computer information: IP and country Working path to EXE file Local time and time zone Language system Language keyboard layout ----- Notebook or desktop Processor model Computer name User name Domain computer name Machine ID GUID Installed software and their versions Additional functional: Files grabber Loader ## Obfuscation techniques **Strings encryption** ----- Most strings are encrypted using combinations of RC4 and Base64. The decryption key of RC4 is stored in the ``` decrypt_key variable that was declared in the Run-Time Dynamic Linking function. In this case, the decryption ``` key is `86223203794583053453 .` ## Anti-analysis techniques **Run-Time Dynamic Linking** The first called function from `WinMain declares decryption key for encrypted strings and unencrypted strings,` which contain names of WinApi functions for Run-Time Dynamic Linking. Mars gets a module handle of kernel32.dll by parsing `InLoadOrderModuleList which usually contains kernel32` library as its 3rd element (0x18 address). After obtaining the base address of kernel32.dll, it parses the PE file and loops over the exported functions of the DLL to get the address of the `LoadLibaryA() and` `GetProcAddress()` functions. After procedures with kernel32 functions, `LoadLibraryA() loads` `advapi32.dll library and gets the address` of the `GetUserNameA() for anti-emulation check. The same thing program does with` `crypt32.dll and gets` the address of `CryptStringToBinaryA() for strings decryption.` ----- **Timing-based anti-debug** Malware initializes a double word (4 bytes) and calls the `GetTickCount() function that returns the number of` milliseconds that have elapsed since the system has started. Then calls the `Sleep() to suspend the execution of` the current thread until 15000 milliseconds (15 seconds). `GetTickCount() again gets the time and malware uses` the first result to subtract then checks if a gotten number is greater than 10000 milliseconds (10 seconds). If the function returns true, it means that the `Sleep() hasn’t been skipped by the debugger and malware continues` execution flow. **Anti-emulation** Anti-emulation is used to avoid running in the Windows Defender emulator. Malware compares the current computer name with `HAL9TH and the username with` `JohnDoe . If the computer name and username have` coincided, the malware finishes execution. ----- ## Security checks **Anti-CIS** This feature is used to avoid infection of machines from the Commonwealth of Independent States (CIS) by using ``` GetUserDefaultLangID() that returns the language identifier of the region format setting for the current user. ``` If the user language ID matches one from the list, the stealer finishes execution. **Language ID** **Language-tag** **Country** 0x43F kk-KZ Kazakhstan 0x443 us-Latb-US Uzbekistan 0x82C az-Cyrl-AZ Azerbaijan 0x43Fu kk-KZ Kazakhstan 0x419u ru-RU Russia ----- **Language ID** **Language-tag** **Country** 0x423u ru-BY Belarus **Mutex** If all checks have passed, the malware creates a mutex object using `CreateMutexA() to avoid repeat launch.` Mutex name is the same as a strings decryption key, but they are stored in different variables. Then calls ``` GetLastError() which gets the last error, and if the error code is equal to 183 (ERROR_ALREADY_EXIST) it ``` means that mutex already exists therefore malware finishes execution. **Expiration check** The `compilation_date variable contains` `28/08/2021 00:00:00 . The month on this date has increased by 1` unit, so malware can’t run after a month of compilation. Accordingly, this sample was compiled not on ``` 28/08/2021, but on 28/07/2021 . ``` Mars uses `GetSystemTime() to put current system time to a struct, then calls` `sscanf() to parse the` compilation date. `SystemTimeToFileTime() is used to convert the current date and compilation date from` system time to file time format. If the current file time is bigger than the compile time, the malware calls ``ExitProcess()` to finish the process.` ## External DLLs ----- When stealing Gecko browsers credentials, the malware makes 6 requests using WinINet libary to download dependencies from the public folder and saves them in the ProgramData folder, but `sqlite3.dll is` downloading before chrome stealing starts. At the end of execution, malware deletes mentioned DLLs and finishes execution. **DLL name** **Download url** **Save path** **Description** sqlite3.dll http://cookreceipts.fun/public/sqlite3.dll C:\ProgramData\sqlite3.dll Libary for chromium data freebl3.dll http://cookreceipts.fun/public/freebl3.dll C:\ProgramData\freebl3.dll Library for the NSS (Geckobased) mozglue.dll http://cookreceipts.fun/public/mozglue.dll C:\ProgramData\mozglue.dll Mozilla Browser Library msvcp140.dll http://cookreceipts.fun/public/msvcp140.dll C:\ProgramData\msvcp140.dll Visual C++ Runtime 2015 nss3.dll http://cookreceipts.fun/public/nss3.dll C:\ProgramData\nss3.dll Network System Services Library (Geckobased) ----- **DLL name** **Download url** **Save path** **Description** softokn3.dll http://cookreceipts.fun/public/softokn3.dll C:\ProgramData\softokn3.dll Mozilla Browser Library vcruntime140.dll http://cookreceipts.fun/public/vcruntime140.dll C:\ProgramData\vcruntime140.dll Visual C++ Runtime 2015 ## Stealing functional **Browsers** Mars steals credentials from Chromium and Gecko browsers by static paths, therefore it supports only the most popular. **Browser name** **Browser folder** ----- **Browser name** **Browser folder** Chrome %localappdata%\Google\Chrome\User Data Chromium %localappdata%\Chromium\User Data Microsoft Edge %localappdata%\Microsoft\Edge\User Data Kometa %localappdata%\Kometa\User Data Amigo %localappdata%\Amigo\User Data Torch %localappdata%\Torch\User Data Orbitum %localappdata%\Orbitum\User Data Comodo %localappdata%\Comodo\Dragon\User Data Nichrome %localappdata%\Nichrome\User Data Maxthon5 %localappdata%\Maxthon5\Users Sputnik %localappdata%\Sputnik\User Data Epic Privacy Browser %localappdata%\Epic Privacy Browser\User Data Vivaldi %localappdata%\Vivaldi\User Data CocCoc %localappdata%\CocCoc\Browser\User Data Uran %localappdata%\uCozMedia\Uran\User Data QIP Surf %localappdata%\QIP Surf\User Data Cent Browser %localappdata%\CentBrowser\User Data Elements Browser %localappdata%\Elements Browser\User Data TorBro %localappdata%\TorBro\Profile CryptoTab Browser %localappdata%\CryptoTab Browser\User Data Brave %localappdata%\BraveSoftware\Brave-Browser\User Data Opera %appdata%\Opera Software\Opera Stable\ Opera GX %appdata%\Opera Software\Opera GX Stable\ Opera Neon %appdata%\Opera Software\Opera Neon\User Data Firefox %appdata%\Mozilla\Firefox\Profiles\ SlimBrowser %appdata%\FlashPeak\SlimBrowser\Profiles Pale Moon %appdata%\Moonchild Productions\Pale Moon\Profiles\ Waterfox %appdata%\Waterfox\Profiles\ Cyberfox %appdata%\8pecxstudios\Cyberfox\Profiles\ BlackHawk %appdata%\NETGATE Technologies\BlackHawk\Profiles\ IceCat %appdata%\Mozilla\icecat\Profiles\ ----- **Browser name** **Browser folder** K-Meleon %appdata%\K-Meleon\ Thunderbird %appdata%\Thunderbird\Profiles\ 2FA/crypto extensions This malware also targets 2FA and crypto extensions, but only in Chromium-based browsers (opera is an exception). **Type** **Extension name** **Extension id** Crypto TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec Crypto MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn Crypto Binance Chain Wallet fhbohimaelbohpjbbldcngcnapndodjp Crypto Yoroi ffnbelfdoeiohenkjibnmadjiehjhajb ----- **Type** **Extension name** **Extension id** Crypto Nifty Wallet jbdaocneiiinmjbjlgalhcelgbejmnid Crypto Math Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc Crypto Coinbase Wallet hnfanknocfeofbddgcijnmhnfnkdnaad Crypto Guarda hpglfhgfnhbgpjdenjgmdgoeiappafln Crypto EQUAL Wallet blnieiiffboillknjnepogjhkgnoapac Crypto Jaxx Liberty cjelfplplebdjjenllpjcblmjkfcffne Crypto BitApp Wallet fihkakfobkmkjojpchpfgcmhfjnmnfpi Crypto iWallet kncchdigobghenbbaddojjnnaogfppfj Crypto Wombat amkmjjmmflddogmhpjloimipbofnfjih Crypto MEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm Crypto GuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj Crypto Saturn Wallet nkddgncdjgjfcddamfgcmfnlhccnimig Crypto Ronin Wallet fnjhmkhhmkbjkkabndcnnogagogbneec Crypto NeoLine cphhlgmgameodnhkjdmkpanlelnlohao Crypto Clover Wallet nhnkbkgjikgcigadomkphalanndcapjk Crypto Liquality Wallet kpfopkelmapcoipemfendmdcghnegimn Crypto Terra Station aiifbnbfobpmeekipheeijimdpnlpgpp Crypto Keplr dmkamcknogkgcdfhhbddcghachkejeap Crypto Sollet fhmfendgdocmcbmfikdcogofphimnkno Crypto Auro Wallet cnmamaachppnkjgnildpdmkaakejnhae Crypto Polymesh Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf Crypto ICONex flpiciilemghbmfalicajoolhkkenfel Crypto Nabox Wallet nknhiehlklippafakaeklbeglecifhad Crypto KHC hcflpincpppdclinealmandijcmnkbgn Crypto Temple ookjlbkiijinhpmnjffcofjonbfbgaoc Crypto TezBox mnfifefkajgofkcjkemidiaecocnkjeh Crypto Cyano Wallet dkdedlpgdmmkkfjabffeganieamfklkm Crypto Byone nlgbhdfgdhgbiamfdfmbikcdghidoadd Crypto OneKey infeboajgfhgbjpjbeppbkgnabfdkdaf Crypto LeafWallet cihmoadaighcejopammfbmddcmdekcje Crypto DAppPlay lodccjjbdhfakaekdiahmedfbieldgik ----- **Type** **Extension name** **Extension id** Crypto BitClip ijmpgkjfkbfhoebgogflfebnmejmfbml Crypto Steem Keychain lkcjlnjfpbikmcmbachjpdbijejflpcm Crypto Nash Extension onofpnbbkehpmmoabgpcpmigafmmnjhl Crypto Hycon Lite Client bcopgchhojmggmffilplmbdicgaihlkp Crypto ZilPay klnaejjgbibmhlephnhpmaofohgkpgkd Crypto Coin98 Wallet aeachknmefphepccionboohckonoeemg 2FA Authenticator bhghoamapcdpbohphigoooaddinpkbai 2FA Authy gaedmjdfmmahhbjefcbgaolhhanlaolb 2FA EOS Authenticator oeljdldpnmdbchonielidgobddffflal 2FA GAuth Authenticator ilgcnhelpchnceeipipijaljkblbcobl 2FA Trezor Password Manager imloifkgjagghnncjkhggdhalmcnfklk **Wallets** The malware targets multiple wallets, which stores sensitive data in files as `wallet.dat that contains the` address, the private key to access this address, and other data. **Wallet** **name** **Wallet folder** **Regex** Ethereum %appdata%\Ethereum\ keystore Electrum %appdata%\Electrum\wallets\ _._ Electrum LTC %appdata%\Electrum-LTC\wallets\ _._ Exodus %appdata%\Exodus\ exodus.conf.json, window-state.json, \Exodus\exodus.wallet\, passphrase.json, seed.seco, info.seco ----- **Wallet** **name** **Wallet folder** **Regex** Electron Cash %appdata%\ElectronCash\wallets\ default_wallet MultiDoge %appdata%\MultiDoge\ multidoge.wallet Jaxx %appdata%\jaxx\Local Storage\ file__0.localstorage Atomic %appdata%\atomic\Local Storage\leveldb\ 000003.log, CURRENT, LOCK, LOG, MANIFEST.000001, 0000* Binance %appdata%\Binance\ app-store.json Coinomi %localappdata%\Coinomi\Coinomi\wallets\ *.wallet, *.config **Grabber** Mars has a custom grabber with multiple functions. First, the malware makes a request to C&C and gets config as a response. Grabber config looks like this `name|max_size|path|formats|recursively| . Then uses` ``` setup_grabber() which use strtok() with lstrcatA() to parse grabber config and calls grabber() ``` which performs grabbing. ----- ## Loader Malware gets loader config as the response while uploading log. This config looks like this ``` link|load_to|startup_param| (download link, path to a loaded file, start-up parameters). ``` To download file stealer calls `download_file() function. Then uses` `strtok() with` `lstrcatA() to parse` config parameters and calls `ShellExecuteExA() to execute executable.` ----- ## Self-removal Malware gets the way to itself by using `GetModuleFileName() and calls` `ShellExecuteExA() which executes` ``` cmd.exe with /c timeout /t 5 & del /f /q \"%s\" & exit parameters. After 5 seconds cmd.exe ``` deletes current executable. ----- ## Conclusion Mars Stealer it’s an improved version of Oski Stealer. Have been added anti-debug check, crypto extensions stealing, but outlook stealing is missing. The code has been refactoring, but some algorithms remained stupid as in [Oski Stealer. Here you can read detailed Oski Stealer analysis from CyberArk.](https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer) ## IOCs [Related tweets: 1 2](https://twitter.com/3xp0rtblog/status/1424638227160473602) [6143734a8c9cae36bfde4f4b67f3c604 VirusTotal Bazaar](https://www.virustotal.com/gui/file/7da3029263bfbb0699119a715ce22a3941cf8100428fd43c9e1e46bf436ca687) [cookreceipts[.]fun VirusTotal Urlhaus](https://www.virustotal.com/gui/domain/cookreceipts.fun) -----