December 2, 2023

Oski malware is back in the form of Mars Stealer, which is a new and powerful version of Oski.

Mars Stealer steals information from all renowned web browsers, various cryptocurrency wallets and extensions, and 2FA plugins. It is written in ASM/C using WinApi and leverages special techniques to conceal WinApi calls, gather information in the memory, support secure SSL connection with C2, and encrypt strings.


Mars Stealer pilfers files from infected systems and has its own loader to reduce the infection footprint. The operators, however, have excluded Outlook from their target app list but experts believe that it may be included in future versions. 

The malware size is a meager 95KB and evades detection by using Base64 and RC4 for string encryption.All connections to the C2 are encrypted.Furthermore, Mars Stealer includes Sleep function intervals to conduct timing checks. This ensures a mismatch occurs if a debugger is used. The malware can also remove itself after stealing all user data or if and when the operator decides to delete it. 

Mars Stealer checks if a user is located in countries part of the Commonwealth of Independent States, a common feature among Russian-based malware.If the victim’s system language ID matches Russia, Kazakhstan, Belarus, Uzbekistan, and Azerbaijan, it will wipe itself without causing any harm. if the malware’s compilation date is older than a month than the system time, it makes an exit. 

Mars Stealer is being sold for $140 to $160 on hacking forums and hence, it is suspected that a lot of threat actors will get their hands on it to perform malicious activities. It is capable of causing massive headaches to its victims in the form of identity theft, cryptocurrency losses, privacy issues, and system infections. 


Targeted Applications

Internet Explorer, Google Chrome, Chromium, Kometa, Amigo, Torch, Orbitum, Comodo Dragon, Nichrome, Maxthon, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc Browser, Uran Browser, QIP Surf, Cent, Elements Browser, TorBro, Microsoft Edge, CryptoTab, Brave, Opera, Mozilla Firefox, Pale Moon, Waterfox, Cyberfox, BlackHawk, IceCat, KMeleon

Email Clients

Crypto Wallets
Anoncoin, BBQCoin, Bitcoin, DashCore, ElectronCash, Electrum, Electrum-LTC, Ethereum, Exodus, Florincoin, Franko, Freicoin, GoldCoinGLD, IOCoin, Infinitecoin, Ixcoin, Litecoin, Megacoin, Mincoin, MultiDoge, Namecoin, Primecoin, Terracoin, YACoin, Zcash, devcoin, digitalcoin, jaxx

Leave a Reply

%d bloggers like this: