MarsSnake is a backdoor that decrypts a runtime-written configuration, collects local system details (local IPv4, Windows version, username, NetBIOS name), computes a GUID-like unique identifier, and communicates with C2 servers using an HTTP POST handshake. The loader’s configuration contains local addresses (likely attacker-side testing artifacts) and the C2 exchange uses distinct magic values to validate the server before transmitting system information. #MarsSnake #Windows
Keypoints
- MarsSnake stores its configuration encrypted and writes the configuration at runtime, so static payload extraction can miss it.
- The loader configuration contains local IPv4 addresses, likely artifacts from attacker-side local testing, which also makes C2 updates modular by changing the loader configuration.
- MarsSnake decrypts its configuration and collects local IPv4 address, Windows version, username, and NetBIOS computer name.
- The backdoor computes a unique GUID-like system identifier from a duplicated-byte transformation and a custom hash formula, then formats it with fixed constants in the last fields.
- Before sending collected information, the backdoor connects to a configured C2 server and performs an HTTP POST handshake using a specific magic value; the server must return an expected magic value to proceed.
- Only after receiving the expected server response does MarsSnake transmit system information and await commands in the response payload.
MITRE Techniques
- [T1016 ] System Network Configuration Discovery – The backdoor collects the local IPv4 address as part of its configuration: ‘MarsSnake decrypts its configuration and collects the following information: Local IPv4 address’
- [T1082 ] System Information Discovery – MarsSnake gathers system details including Windows version, username, and NetBIOS computer name: ‘MarsSnake decrypts its configuration and collects the following information: Windows version Username NetBIOS computer name’
- [T1027 ] Obfuscated Files or Information – The configuration is stored encrypted and decrypted at runtime, hiding configuration from static analysis: ‘MarsSnake decrypts its configuration … If you extract the payload statically, you may miss the configuration because it is written at runtime.’
- [T1071.001 ] Application Layer Protocol: Web Protocols – MarsSnake uses HTTP POST to communicate with C2 servers and performs a magic-value handshake before sending system data: ‘sends the magic value “dsalsjd89w21dcx9cwad@” in an HTTP POST request. The server response must include the magic value “asdas290e/cz/x213/.14”.’
Indicators of Compromise
- [IP addresses ] Loader configuration contains local IPv4 addresses (artifact of attacker testing) – example: representative private IP like 192.168.1.100 (article does not list specific public IPs)
- [C2 domains/IPs ] Backdoor connects to C2 servers listed in its configuration to perform the handshake and receive commands – example: C2 entries present in configuration (no specific domains/IPs provided)
- [HTTP handshake strings ] Magic values used in C2 handshake – ‘dsalsjd89w21dcx9cwad@’ (posted by the client), ‘asdas290e/cz/x213/.14’ (expected in server response)
- [Configuration artifacts ] Runtime-written encrypted configuration and GUID-like identifier format – example pattern: ‘%08llx-%04llx-%04llx-%04llx-%012llx’ and fixed constants 0x8E7C, 0x49EEB6C29776DE0F (used in identifier formatting)