Threat Research

Mars Stealer: Exclusive New Threat Research

Securonix

Mars Stealer is a modern infostealer derived from Oski, sold on underground forums with ongoing development and it targets browser credentials and cryptocurrency wallets. The Morphisec report details its delivery methods, compromised infrastructure, and exposed stolen-data directories, while listing IOCs and MITRE technique mappings to aid defenders. #MarsStealer #OskiStealer #JupyterInfostealer #GoogleAds #Keitaro #GitLab

Keypoints

  • Mars Stealer is based on the older Oski Stealer and has re-emerged for sale on underground forums with ongoing development.
  • It specifically pilfers credentials from browsers and wallets (e.g., MetaMask, Coinbase Wallet, Binance) and is marketed as an entry point for broader criminal campaigns.
  • Delivery relies on social engineering, malspam, cracked software guides, and cloned software websites (e.g., OpenOffice clone).
  • The campaign uses Google Ads to drive victims to malicious sites, including geographically targeted campaigns (e.g., Canadians).
  • Researchers uncovered exposed stolen-data directories, including a directory labeled with CA_ prefixes, indicating Canadian victims.
  • Two Mars Stealer C2s were identified (one via tommytshop[.]com and another at http://5.45.84[.]214); the operator maintained a GitLab account (Tony Mont) for builds.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – Spam email is the method of delivery via a compressed executable, download link, or document payload. “Spam email is the most common distribution method for Mars Stealer, as a compressed executable, download link, or document payload.”
  • [T1566.002] Phishing – Spearphishing Link – Google Ads campaigns direct victims to malicious sites; “they used the Google Ads advertising platform to trick victims … by using geographically targeted Google Ads.”
  • [T1189] Watering Hole – Initial access via cloned websites masquerading as legitimate software sites (OpenOffice clone) to lure downloads. “Below is a fully cloned website masquerading as the official openoffice.org website to lure victims to download the Mars Stealer.”
  • [T1027] Obfuscated/Compressed Files and Information – The downloaded payload is packed with the Babadeda crypter or AutoIt loader. “The downloaded payload is an executable file, with a corresponding icon and name, packed with the Babadeda crypter or Autoit loader.”
  • [T1555.003] Credential Access – Credentials in Web Browsers – Mars Stealer pilfers user credentials stored in browsers and cryptocurrency wallets. “The Mars Stealer pilfers user credentials stored in various browsers, as well as many different cryptocurrency wallets.”
  • [T1071.001] Web Protocols – C2 over HTTP – The actor uses HTTP-based C2, e.g., “C2—tommytshop[.]com—where the Mars admin panel is stored,” and “http://5.45.84[.]214” for command and control.
  • [T1041] Exfiltration – Exfiltration Over C2 – The actor’s stolen information (screenshots, passwords, history, system information) is accessed and exfiltrated via C2. “look at the actor’s stolen information—screenshots, passwords, history, system information, etc.”

Indicators of Compromise

  • [IP/URL] Keitaro panel and ad infrastructure – 91.92.128[.]35, and 149.255.35.179, 66.29.142[.]232 (examples of C2/ad infrastructure endpoints)
  • [Domain] C2 and related services – tommytshop[.]com, ton yshop312[.]com, telemeetrydata[.]cn, gitlab.com/corpsoft
  • [SHA256] Sample malware hashes – c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14, 38807bc99d0f9a78480d3b12cfc96cdbfdb83bc277758595e77808b9b22ac087, and 12 more hashes

Read more: https://blog.morphisec.com/threat-research-mars-stealer