{"id":2928,"date":"2022-04-01T23:42:19","date_gmt":"2022-04-02T05:42:19","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/?p=2928"},"modified":"2022-04-01T23:58:37","modified_gmt":"2022-04-02T05:58:37","slug":"mars-stealer-malware-using-google-ads-to-spread","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/04\/01\/mars-stealer-malware-using-google-ads-to-spread\/","title":{"rendered":"Mars Stealer Malware using Google Ads to Spread"},"content":{"rendered":"\n
\"\"
Fig 1: Diagram of the Attack Infrastructure
Source: Morphisec<\/figcaption><\/figure>\n\n\n\n

Mars Stealer is a piece of off-the-shelf malware going for around 160$ for a lifetime subscription on various underground forums and dark web sites. It can steal information from your browser like cookies, autofill data, and credit card info. It can steal information about your computer or even attack your cryptocurrency wallets. Furthermore, depending on the customer’s intentions, it can be configured to download something else onto the infected machine, such as more malware.<\/p>\n\n\n\n

One particular attacker has set up clones of sites where you can download well-known software, and then used Google Ad Services to advertise these clones. When an unsuspecting user clicks on the ad, they are directed to this cloned site where their computer is infected with malware. The attacker is paying for these ads using stolen information, and using geographically targeted ads to target Canadians[2]<\/a><\/sup>.<\/p>\n\n\n\n

\"\"
Fig 2: Cloned Website Comparison
Source: Morphisec<\/figcaption><\/figure>\n\n\n\n

Shortly after the latest version was released, someone released a cracked version with an instruction document. Fortunately, this guide contained flaws. These flaws lead to customers improperly setting up their environments, which made investigating Mars much easier for security researchers. Researchers were able to gleam a great deal of information about the abovementioned attacker because on top of being one of those individuals with an improperly set up environment, they managed to infect their own computer while debugging, so their information was found with all the victims’ info[2]<\/a><\/sup>.<\/p>\n\n\n\n

About Mars Stealer<\/h2>\n\n\n\n

Mars Stealer is an evolution of an older, no longer supported information stealer known as Oski Stealer, which had a thriving community of happy customers who left positive feedback on their experiences with this ‘product’ and the support provided by the team behind it before it abruptly stopped[3]<\/a><\/sup>. Mars is apparently still receiving updates.<\/p>\n\n\n\n

This malware has two features I thought were particularly interesting. First, it will not attack a computer within the CIS (Confederacy of Independent States). It achieves this by checking the user language ID of the region format setting against a list of IDs corresponding to countries within the CIS, including Russia, Belarus, Kazakhstan, etc.[4]<\/a><\/sup> Second, it has a one month expiration date; it checks its own compile time and then compares this to the current time from the system, and if it was compiled more than one month ago, it exits.[4]<\/a><\/sup><\/p>\n\n\n\n

Obfuscation and Detection Evasion<\/h2>\n\n\n\n

Mars Stealer uses some interesting techniques to avoid detection by Windows Defender as well as some more savvy tech enthusiasts who might be checking for malware.<\/p>\n\n\n\n

To confuse humans, Mars obfuscates its code by encrypting the strings used in the program and also by using run-time dynamic linking. This means it is necessary to decrypt the strings using the key stored in the program, and then resolve the libraries and functions it uses in order to be able to read the code easily[3]<\/a><\/sup>. Furthermore, it is able to detect when it is being run in debug mode by initiating a sleep for 15 seconds. After the sleep call, it checks how much time actually passed, and if it is less than 10 seconds, that (likely) means that the sleep was skipped by a debugger, and the program exits without executing any malicious code[4]<\/a><\/sup>.<\/p>\n\n\n\n

Mars also evades Windows Defender Emulation by checking the environment. Specifically, it checks whether the device name is ‘HAL9TH’ and the user is ‘JohnDoe’[4]<\/a><\/sup> and, as above, it immediately exits if it finds these indicators. While I appreciate the reference to the HAL 9000, there’s no way it’s this easy to beat Windows Defender, right? Right?!?(It is<\/a>) <\/p>\n\n\n\n

\"\"
Fig 3: Emulation Check Code
Source: 3xp0rt<\/figcaption><\/figure>\n\n\n\n

On the plus side, I suppose we’ve learned that a good way to avoid being hit by malware would be to name your computer ‘HAL9TH’ and always use the username ‘JohnDoe’, thereby tricking any malware that checks for this emulator into not attacking you.<\/p>\n\n\n\n

References<\/h2>\n\n\n\n
  1. https:\/\/thehackernews.com\/2022\/03\/researchers-expose-mars-stealer-malware.html<\/a><\/li>
  2. https:\/\/blog.morphisec.com\/threat-research-mars-stealer<\/a><\/li>
  3. https:\/\/www.cyberark.com\/resources\/threat-research-blog\/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer<\/a><\/li>
  4. https:\/\/3xp0rt.com\/posts\/mars-stealer<\/a><\/li>
  5. https:\/\/i.blackhat.com\/us-18\/Thu-August-9\/us-18-Bulazel-Windows-Offender-Reverse-Engineering-Windows-Defenders-Antivirus-Emulator.pdf<\/a><\/li><\/ol>\n\n\n\n

    <\/p>\n","protected":false},"excerpt":{"rendered":"

    Mars Stealer is a piece of off-the-shelf malware going for around 160$ for a lifetime subscription on various underground forums and dark web sites. It can steal information from your browser like cookies, autofill data, and credit card info. It can steal information about your computer or even attack your cryptocurrency wallets. Furthermore, depending on … <\/p>\n

    Continue reading “Mars Stealer Malware using Google Ads to Spread”<\/span><\/a><\/p>\n","protected":false},"author":449,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[15],"tags":[],"class_list":["post-2928","post","type-post","status-publish","format-standard","hentry","category-cpsc-329-602-w22","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Riley James","author_link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/author\/riley-james\/"},"_links":{"self":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/2928","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/users\/449"}],"replies":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/comments?post=2928"}],"version-history":[{"count":4,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/2928\/revisions"}],"predecessor-version":[{"id":2960,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/2928\/revisions\/2960"}],"wp:attachment":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/media?parent=2928"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/categories?post=2928"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/tags?post=2928"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}