Mars Stealer malware analysis

Mars Stealer is the latest variant of Oski Stealer. This info stealer can gather data from the most popular web browsers, including 2FA plugins and multiple cryptocurrency extensions and wallets. 

Mars Stealer is a stealthy and powerful malware with only 95 KB but capable of stealing a large volume of data. According to 3xp0rt analysis, this is a redesigned variant of the Oski trojan that stopped its operation in July 2020. Its authors closed the Telegram channel and stopped all activity, including communication with their clients. Later, in July 2021, Mars Stealer began to be promoted on a Russian-speaking underground forum. [CLICK IMAGES TO ENLARGE]

Figure 1: Mars Sstealer announced on an underground forum in 2021 (source).

How Mars Stealer malware works

Mars Stealer takes advantage of several techniques to be stealthy. The malware strings are obfuscated and decrypted in run time using the RC4 algorithm and Base64 combinations. 

Figure 2: Mars Stealer obfuscated strings.

By implementing a simple strings decryptor, obtaining all the plain-text strings is possible, as observed in Figure 3. In detail, the RC4 key “86223203794583053453” is extracted from an initialization function responsible for starting the decryption process. The “key” is also highlighted below.

Read More: