New Oski Stealer Variant, “Mars Stealer”, Targets Credentials, Crypto, and 2FA
February 8, 2022 By Ryan Estes
In early 2020, during the emergence of the COVID-19 pandemic, researchers discovered a novel malware named Oski Stealer, capable of stealing browser data such as cookies, history, payment information, and autofill information, as well as cryptocurrency wallets, login credentials of applications, and Authy 2FA information. It can also take screenshots of your desktop and perform file transfers to, and from, a C2 server.
Oski performed these actions by (allegedly) gaining access to routers with weak admin passwords and modifying DNS settings to hijack Windows Network Connectivity Status Indicator (NCSI) active probes. Windows utilizes these probes to test a computer’s Internet connection by periodically connecting to http://www[.]msftconnecttest[.]com/connecttest.txt and then returning the string inside of the text file – which will always be “Microsoft Connect Test”. If the probe receives the right string as a reply, Windows assumes your Internet connection works. However, a hijacked router can connect to a malicious domain and download a different file — the Oski malware. The malware authors sold Oski on Telegram and in forums for a few months until suddenly in July of that year, they vanished.
Last week, though, Oski has returned as a new variant called “Mars Stealer”. Mars Stealer performs similar actions to its predecessor and has additional anti-reversing and information stealing capabilities. These include obfuscation techniques, anti-analysis techniques, security checks, external DLL dependency downloads, a custom grabber and loader to enable file transfers and file execution, self-removal, and, of course, information-stealing capabilities. Mars Stealer is also being sold as a MaaS on forums and, therefore, can be tweaked to perform different and additional techniques.