![]() Authenticator, Authy, EOS Authenticator, GAuth Authenticator, Trezor Password Manager.Auro Wallet, Binance Chain Wallet, BitApp Wallet, BitClip, Byone, Clover Wallet, Coin98 Wallet, Coinbase Wallet, Cyano Wallet, DAppPlay, EQUAL Wallet, Guarda, GuildWallet, Hycon Lite Client, ICONex, Jaxx Liberty, KHC, Keplr, LeafWallet, Liquality Wallet, MEW CX, Math Wallet, MetaMask, Nabox Wallet, Nash Extension, NeoLine, Nifty Wallet, OneKey, Polymesh Wallet, Ronin Wallet, Saturn Wallet, Sollet, Steem Keychain, Temple, Terra Station, TezBox, TronLink, Wombat, Yoroi, ZilPay, iWallet.Mars Stealer targets data from the following web browser extensions:.Amigo, BlackHawk, BraveCent Browser, Chrome, Chromium, CocCoc, Comodo, CryptoTab Browser, Cyberfox, Elements Browser, Epic Privacy Browser, Firefox, IceCat, K-Meleon, Kometa, Maxthon5, Microsoft Edge, Nichrome, Opera, Opera GX, Opera Neon, Orbitum, Pale Moon, QIP Surf, SlimBrowser, Sputnik, Thunderbird, TorBro, Torch, Uran, Vivaldi, Waterfox.Mars Stealer targets user data and credentials from the following web browsers:.Self-Removal removes artifacts of the malware to evade IR countermeasures.Mars Stealer contains a custom loader and a custom grabber to enable file transfers and file execution.DLLs are downloaded from the C2, if necessary (known C2: cookreceiptsfun).The malware only executes if the compilation time was within the last month.This is used to detect if a machine has the default language of those in the Commonwealth of Independent States (CIS).This technique checks if the malware is running in an isolated environment or virtual machine.If the amount of time specified is greater than the run time of the execution, then the program exits. These two functions are commonly used to prevent analysts from debugging a program and checking if a set amount of time has elapsed.Encrypted DLLs are decrypted and loaded at run-time – as opposed to at compile-time – making it more difficult to analyze the malware’s capabilities prior to execution.Strings within the program are encrypted using Base64 and RC4 encryption.Mars Stealer is also being sold as a MaaS on forums and, therefore, can be tweaked to perform different and additional techniques. These include obfuscation techniques, anti-analysis techniques, security checks, external DLL dependency downloads, a custom grabber and loader to enable file transfers and file execution, self-removal, and, of course, information-stealing capabilities. Mars Stealer performs similar actions to its predecessor and has additional anti-reversing and information stealing capabilities. Last week, though, Oski has returned as a new variant called “Mars Stealer”. The malware authors sold Oski on Telegram and in forums for a few months until suddenly in July of that year, they vanished. However, a hijacked router can connect to a malicious domain and download a different file - the Oski malware. If the probe receives the right string as a reply, Windows assumes your Internet connection works. Windows utilizes these probes to test a computer’s Internet connection by periodically connecting to and then returning the string inside of the text file – which will always be “Microsoft Connect Test”. ![]() Oski performed these actions by (allegedly) gaining access to routers with weak admin passwords and modifying DNS settings to hijack Windows Network Connectivity Status Indicator (NCSI) active probes. It can also take screenshots of your desktop and perform file transfers to, and from, a C2 server. In early 2020, during the emergence of the COVID-19 pandemic, researchers discovered a novel malware named Oski Stealer, capable of stealing browser data such as cookies, history, payment information, and autofill information, as well as cryptocurrency wallets, login credentials of applications, and Authy 2FA information. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |