Detect Mars Stealer Cryptojacking Malware

On March 30, 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) put out a warning of a mass spread of malware named “Mars Stealer” targeting individuals and organizations in Ukraine. According to the CERT-UA research, adversaries behind Mars Stealer attacks are traced back to the hacking group tracked as UAC-0041 (associated with AgentTesla and XLoader).

Mars Stealer, as a rather accessible entry point to data theft, has recently been leveraged in many countries all over the world, mostly in Canada, Indonesia, Brasil, Europe, and the US, targeting individuals and businesses. Researchers indicate that Google Ads misuse and phishing emails are the two most widespread approaches to distribute this infostealer.

Mars Stealer Analysis

Mars Stealer, a C/ASM-based infostealer, is a relatively low-priced malware available for purchase on hacking forums for only $160 for a lifetime subscription. This malware strain was crafted on the basis of Oski Stealer, which first surfaced in 2019. With Mars Stealer, as well as with its malicious predecessor from 2019, there are multiple delivery methods. Malware like Mars Stealer is most commonly distributed via malspam campaigns and social engineering frauds as a compressed executable, download link, or document payload in a phishing email. Another frequent approach for propagating infostealers is through creating a bogus website, luring users with the consequent theft of their data, such as collecting information about the compromised device, stealing browser and authentication data and files, crypto-wallet plug-ins, multi-factor authentication programs, and enabling adversaries to download and run executable files, as well as taking unauthorized screenshots.

As CERT-UA reported, Mars Stealer was distributed via a spam email campaign. Victims received spoofing emails containing a lure archive that, if opened, executed a malicious executable file that spread infection on targeted systems.

Sigma Behavior-Based Content to Detect Mars Stealer Malware Cyber-Attacks

Security practitioners can detect the potential Mars Stealer malware strains in the organization’s infrastructure using a set of curated Sigma-based detection rules available in the SOC Prime Platform:

Detection Content for Mars Stealer Malware

Please note that the detection content is accessible only to the registered users of SOC Prime’s Detection as Code platform.

MITRE ATT&CK® Context

For your convenience, the dedicated Sigma-based content to detect the malicious activity associated with Mars Stealer is mapped to the latest version of the MITRE ATT&CK framework addressing the corresponding tactics and techniques: