Sometime in 2018, a new information stealer named Vidar appeared. Analysis revealed Vidar is an information stealer that is a copycat or fork of Arkei malware. Since that time, Vidar has led to other Arkei-based variants. Today’s diary reviews Vidar and two additional variants: Oski Stealer and Mars Stealer based on analysis of their infection traffic.
Legitimate files used by Vidar, Oski, & Mars Stealer
During Vidar infections, the initial malware retrieves legitimate DLL files hosted on the same C2 server used for data exfiltration. These files are not malicious, but they are used by the Vidar malware binary.
- freebl3.dll (DLL for Thunderbird)
- mozglue.dll (DLL for Thunderbird)
- msvcp140.dll (Microsoft C runtime library)
- nss3.dll (DLL for Thunderbird)
- softokn3.dll (DLL for Thunderbird)
- vcruntime140.dll (Microsoft C runtime library)
To the above list, Oski Stealer and Mars Stealer add another legitimate DLL:
- sqlite3.dll (used for SQLite operations)
During Vidar infections, the initial malware binary requests each file from its C2 server. The image below reveals separate HTTP GET request for each of the legitimate DLL files caused by this Vidar sample from September 2019.
Like Vidar, Oski Stealer retrieves each of the legitimate DLL files separately. But Oski does not use the file names in its URLs for the DLLs. Traffic generated by this Oski Stealer sample from January 2022 is shown below.
Malware advertised in underground forums as Mars Stealer started to appear in 2021. Current samples of Mars Stealer (like this one) retrieve legitimate DLL files as a single zip archive. See the next three images for details.
If we retrieve the zip archive from Mars Stealer traffic, we can extract the individual files from that zip archive as shown below.
Data exfiltration has evolved from Vidar to Oski Stealer to Mars Stealer. All three types of malware send a zip archive containing data stolen from the infected Windows host. But the patterns have changed. Below are images that illustrate the HTTP POST requests that send stolen data to their C2 servers. Arrows highlight the zip archives.
The content of zip archives posted by Vidar, Oski Stealer, and Mars Stealer has also evolved. See the images below for details.
Indicators of Compromise (IOCs)
Below are the three malware samples used for today’s diary:
- b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180 (Vidar)
- c30ce79d7b5b0708dc03f1532fa89afd4efd732531cb557dc31fe63acd5bc1ce (Oski Stealer)
- 7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625 (Mars Stealer)
Below are C2 domains used by the above samples:
- 104.200.67[.]209 port 80 – dersed[.]com – Vidar C2 in September 2019
- 2.56.57[.]108 port 80 – 2.56.57[.]108 – Oski Stealer C2 in January 2022
- 5.63.155[.]126 port 80 – sughicent[.]com – Mars Stealer C2 in March 2022
- Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)
- Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer
- Like Father Like Son? New Mars Stealer
In recent weeks, Hancitor infections have been pushing Mars Stealer EXE files as follow-up malware. However, Mars Stealer can be distributed through other methods. Although it’s not as widely-distributed as other malware like Qakbot or Emotet, Mars Stealer is a noticeable part of our current threat landscape.
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.