# Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer **[esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer](https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer)** [Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with](https://www.esentire.com/what-we-do/security-operations-center) Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team. In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward. **Here’s the latest from our TRU Team…** ## What did we find? ----- An information stealing malware called Mars Stealer in a customer s environment within the consumer services industry. ## Summary of the Incident [The victim downloaded and executed a fake Chrome installer (chromesetup.iso) from](https://www.virustotal.com/gui/file/b683168a7df182ec4cfc046d17fc02c59dff1edacbf21c047b47e1f503165309) >hxxps[:]//googleglstatupdt[.]com/LEND/ChromeSetup.iso. ----- The ISO contains [chromesetup.exe.](https://www.virustotal.com/gui/file/625265b4ee161c1e04c6d06904463666a2cc579d0c0cefec060db6d5ed4c4118) When manually executed by the victim, the fake setup process initializes the NetSupportManager RAT (remote access tool) and the legitimate Chrome setup as a decoy (Figure 1). NetSupportManager is commonly used to remotely control systems for malicious purposes. A shortcut is also added to the user’s startup directory for persistence. _Figure 1 Endpoint view of NetSupportManager execution and decoy payload._ Using the NetSupportManager RAT session, the threat actor copied obfuscated scripts with a .wmd extension that are responsible for creating a renamed AutoIT binary and an loading an obfuscated version of Mars Stealer from %TEMP%/IXP<3-digit number> .TMP. One of the obfuscated scripts contains an embedded payload encrypted with RC4 using the hardcoded key ‘344868553478223918282826525’ (Figure 2). _Figure 2 Snippets from AutoIT script showing embedded payload and decryption_ _routine._ ----- Once loaded, Mars Stealer performs several HTTP requests to retrieve configuration and DLL (Dynamic Link Library) files required for Mars Stealer to operate successfully and upload stolen data (Figure 3). _Figure 3 Mars Stealer network communications._ Lastly, Base64 decoded part of the configuration retrieved from /7AgkTb5xcS.php: 1|1|1|1|0|5qDlPuVKoR|Telegram|0|%APPDATA%\Telegram Desktop\tdata\|*D877F783D5D3EF8C*,*map*,*configs*|1|0|0|rdp|3|%DESKTOP%\ |*.rdp|0|1|0|cer|3|%DESKTOP%\|*.cer|0|1|0 ## Background on Mars Stealer In June 2021, Mars Stealer was advertised on XSS, the Russian-language criminal forum, by MarsTeam for $140/month or $800 for a lifetime subscription. Mars Stealer’s capabilities include: Cryptocurrency theft (“Our software was developed taking into account the _wishes of people working in crypto, so at Mars you can find everything you need_ _to work with crypto and more.” – MarsTeam post on XSS forum)._ The stealer supports dozens of popular browser plugins for popular cryptocurrency platforms, such as Coinbase. Additionally, in December 2021, MarsTeam announced the release of “Mars ClipboardChanger”, which substitutes crypto wallet addresses in the victim’s clipboard cache to hijack payments. Data theft from major web browsers, including two-factor authentication (2FA) Chrome-based browser extensions (“Collects passwords, cookies, cc, _autocomplete, browsing history, file download history.” - MarsTeam post on XSS_ _forum)._ Profiling or fingerprinting the infected system. Exfiltrating files from the infected system. ----- _Figure 4 Mars Stealer admin panel_ ## How did we find it? [MDR for Endpoint identified the tactics, techniques, and procedures (TTPs) associated](https://www.esentire.com/how-we-do-it/signals/endpoint) with NetSupportManager RAT and AutoIT malware deployment. ## What did we do? Our team of [24/7 SOC Cyber Analysts alerted the customer of the activity.](https://www.esentire.com/what-we-do/security-operations-center) ## What can you learn from this TRU positive? Drive-by attacks involving malware masquerading as legitimate software are becoming increasingly common since they require no exploits and rely on a victim running code on the attacker’s behalf. Mars Stealer has seen continued development since its release, and targets a wide array of credentials, particularly those used for cryptocurrency exchanges. Identifying information stealing malware as early as possible is critical to minimize losses from fraud and hijacked accounts. ## Recommendations from our Threat Response Unit (TRU) Team: While rapid identification and containment of successful exploits is necessary to limit impact, unsuccessful attempts still present an opportunity to shore up defenses. The best approach to preventing drive-by attacks is by using a layered defense, such as: ----- Ensure antivirus signatures are up-to-date. Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain threats. Audit your environment and endpoints regularly to ensure endpoints are patched with the latest vendor security updates. Increase awareness of social engineering threat tactics with your users through [phishing and security awareness training.](https://www.esentire.com/what-we-do/managed-vulnerability-and-risk/technical-testing/security-awareness-training-managed-phishing-training) Ensure users are aware of risks associated with downloading applications from the web. Always ensure software is downloaded from a legitimate source. ## Ask Yourself Do you have the capability to rapidly identify and contain malicious code executed unwittingly by users in your environment? Are you monitoring your endpoints 24/7 and what degree of control do you have to initiate a kill switch when required? What level of managed endpoint support do you have in place? ## Indicators of Compromise |Indicators of Compromise|Col2| |---|---| |Value|Note| |googleglstatupdt[.]com|Hosting fake Chrome setup ISO| |zrianevakn1[.]com|NetSupportManager RAT C2| |115d1ae8b95551108b3a902e48b3f163|‘ChromeSetup.iso’| |b15e0db8f65d7df27c07afe2981ff5a755666dce|ChromeSetup.exe| |37c24b4b6ada4250bc7c60951c5977c0|NetSupportManager RAT| |5[.]45.84.214|Mars Stealer C2| |71672a495b4603ecfec40a65254cb3ba8766bbe0|Esitanza.exe.pif (renamed AutoIt)| |e3c91b6246b2b9b82cebf3700c0a7093bacaa09b|ANpRAHx.exe (disguised as 3uAirPlayer, drops Mars Stealer and obfuscated AutoIt scripts)| |5c4e3e5fda232c31b3d2a2842c5ea23523b1de1a|Installer_ovl.exe| |2a2b00d0555647a6d5128b7ec87daf03a0ad568f|consoleappmrss.exe| |3c80b89e7d4fb08aa455ddf902a3ea236d3b582a|Fervore.wmd (obfuscated AutoIt script)| ----- 26136c59afe28fc6bf1b3aeba8946ac2c3ce61df Vai.wmd (obfuscated AutoIt script) e6f18804c94f2bca5a0f6154b1c56186d4642e6b Una.wmd (obfuscated AutoIt script) eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats. If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption. Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. [Connect with an eSentire Security Specialist.](https://www.esentire.com/get-started) |e6f18804c94f2bca5a0f6154b1c56186d4642e6b|Una.wmd (obfuscated AutoIt script)| |---|---| -----