The Oski malware that took a hiatus after ending their attacks in July 2020 is back and now calls itself the Mars Stealer. Researchers claimed that the Mars Stealer is a new and more powerful malware version of Oski.
Mars Stealer heists information and data from popular search engines, 2FA plugins, and several cryptocurrency wallets and extensions. It is coded in ASM/C using WinApi and pushes unique strategies to hide the WinApi calls, gather information in the memory, encrypt various strings, and support secure SSL connection with the command-and-control server.
Moreover, the Mars Stealer exfiltrates files from the compromised system of a target and has its unique loader to reduce the infection track. Fortunately, the operators of Oski exclude MS Outlook from the list of their targeted apps, but experts claimed that the threat actors might include it in their subsequent versions.
The Oski malware, now known as Mars Stealer, is an all-new threat with new techniques to steal data faster and more efficiently.
The malware size of Oski/Mars Stealer is compact because it is just a 95KB malware. The low memory is made possible because the operators use RC4 and Base64 for string encryption. Additionally, all connections made by the Mars stealers in their command-and-control servers are encrypted.
The malware also includes “sleep” feature intervals to operate timing checks. These timing checks ensure a mismatch happens if security measures utilise a debugger. It can also delete itself after stealing all user information or when its operator decides to remove it from the infected system.
The Oski malware checks if a user is based in a nations part of the Commonwealth of Independent States because it is a standard functionality of Russian-based malware. If the victim’s system language ID matches Belarus, Uzbekistan, Kazakhstan, Azerbaijan, and Russia, it will immediately remove itself from the system without causing any damage.
Developers are offering the malware on dark web hacking forums for a low price of $140 to $160. Experts believe that many threat actors have already got their hands on the stealer since it has a sophisticated function at a low price.