fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Powerful New Oski Variant ‘Mars Stealer’ Grabbing 2FAs and Crypto

Powerful New Oski Variant ‘Mars Stealer’ Grabbing 2FAs and Crypto

A new and powerful malware named ‘Mars Stealer’ has appeared in the wild, and appears to be a redesign of the Oski malware that shut down development abruptly in the summer of 2020.

Mars Stealer is an information-stealing malware that steals data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets.

Additionally, the malware can exfiltrate files from the infected system and relies on its own loader and wiper, which minimizes the infection footprint.

Also Read: The 12 Important Details for Employment Contract Template

From Oski to Mars Stealer

In July 2020, the developers behind the Oski information-stealing trojan suddenly shut down their operation after no longer responding to buyers and the closing of their Telegram channel.

Fast forward almost a year later, and a new information-stealing malware called ‘Mars Stealer’ began to be promoted on Russian-speaking hacking forums.

Mars Stealer promoted on a hacking forum
Mars Stealer promoted on a hacking forum
Source: 3xp0rt

After security researcher @3xp0rt obtained a sample, the researcher discovered that the Mars Stealer is a redesigned version of Oski malware with enhanced functionality.

Stealing everything 

Mars Stealer uses a custom grabber that retrieves its configuration from the C2 and then proceeds to target the following applications:

Internet apps: Google Chrome, Internet Explorer, Microsoft Edge (Chromium Version), Kometa, Amigo, Torch, Orbitium, Comodo Dragon, Nichrome, Maxxthon5, Maxxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Brave, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, CyberFox, BlackHawk, IceCat, K-Meleon, Thunderbird.

2FA apps: Authenticator, Authy, EOS Authenticator, GAuth Authenticator, Trezor Password Manager.

Crypto extensions: TronLink, MetaMask, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaox Liberty, BitAppWllet, iWallet, Wombat, MEW CX, Guild Wallet, Saturn Wallet, Ronin Wallet, Neoline, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox Cyano Wallet, Byone, OneKey, Leaf Wallet, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite Client, ZilPay, Coin98 Wallet.

Crypto wallets: Bitcoin Core and all derivatives (Dogecoin, Zcash, DashCore, LiteCoin, etc), Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, Binance, Coinomi.

Also Read: Is it Illegal to Email Someone Without Their Permission?

Wallets targeted by Mars Stealer
Wallets targeted by Mars Stealer
Source: 3xp0rt.com

Moreover, Mars Stealer will capture and send the following basic information to the C2:

  • IP and country
  • Working path to EXE file
  • Local time and time zone
  • Language system
  • Language keyboard layout
  • Notebook or desktop
  • Processor model
  • Computer name
  • User name
  • Domain computer name
  • Machine ID
  • GUID
  • Installed software and their versions

The only notable omission from the targeted application list is Outlook, which the malware authors will likely add in future releases.

Custom Mars Stealer grabber
Custom Mars Stealer grabber
Source: 3xp0rt.com

Evading detection

Mars Stealer is a lean malware of just 95 KB in size, which attempts to evade security by using routines that hide API calls and string-encryption techniques using a combination of RC4 and Base64.

The information it collects is wrapped in memory, while all connections with the C2 are done with the SSL (Secure Sockets Layer) protocol, so they’re encrypted.

Moreover, the Mars Stealer code contains Sleep function intervals to perform timing checks that would result in a mismatch if a debugger is used.

Anti-debugging sleep function
Anti-debugging sleep function
Source: 3xp0rt.com

Finally, the malware can remove itself after the user data has been exfiltrated or when the operator decides to wipe it.

Functional checks

Mars Stealer also checks if a user is based in countries historically part of the Commonwealth of Independent States, which is common for many Russian-based malware.

If the device’s language ID matches Russia, Belarus, Kazakhstan, Azerbaijan, Uzbekistan, and Kazakhstan, the program will exit without performing any malicious behavior.

Language checks for target exclusion
Language checks for target exclusion
Source: 3xp0rt.com

Moreover, the malware has to have a compilation date no older than a month than the system time; otherwise, it exits the execution process.

Currently, Mars Stealer is sold for $140 to $160 (extended version) on hacking forums, so it will likely get in the hands of numerous threat actors and be used in attacks in the future.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us