From 68cd2fca82b8a46e73454eead414d9abe45b873d Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 26 Jan 2024 16:11:12 +0100 Subject: [PATCH] add mars and oski stealers --- clusters/stealer.json | 62 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 61 insertions(+), 1 deletion(-) diff --git a/clusters/stealer.json b/clusters/stealer.json index 1cb8de1..fe09029 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -223,7 +223,67 @@ }, "uuid": "0266302b-52d3-44da-ab63-a8a6f16de737", "value": "Sordeal-Stealer" + }, + { + "description": "Mars stealer is an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins. Mars Stealer written in ASM/C using WinApi, weight is 95 kb. Uses special techniques to hide WinApi calls, encrypts strings, collects information in the memory, supports secure SSL-connection with C&C, doesn’t use CRT, STD.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer", + "https://3xp0rt.com/posts/mars-stealer/", + "https://cyberint.com/blog/research/mars-stealer/", + "https://isc.sans.edu/diary/rss/28468", + "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468", + "https://blog.morphisec.com/threat-research-mars-stealer", + "https://cert.gov.ua/article/38606", + "https://www.malwarebytes.com/blog/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique", + "https://blog.sekoia.io/mars-a-red-hot-information-stealer/", + "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", + "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer", + "https://resources.infosecinstitute.com/topics/malware-analysis/mars-stealer-malware-analysis/", + "https://www.microsoft.com/en-us/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer", + "https://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html", + "https://www.kelacyber.com/information-stealers-a-new-landscape/", + "https://cyble.com/blog/fake-atomic-wallet-website-distributing-mars-stealer/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", + "https://drive.google.com/file/d/14cmYxzowVLyuiS5qDGOKzgI2_vak2Fve/view", + "https://threatmon.io/mars-stealer-malware-analysis-2022/", + "https://threatmon.io/storage/mars-stealer-malware-analysis-2022.pdf", + "https://3xp0rt.com/posts/mars-stealer/forum.png" + ] + }, + "related": [ + { + "dest-uuid": "54b61c7e-8ced-4b90-a295-62102bfd4f32", + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ], + "type": "successor-of" + } + ], + "uuid": "64e51712-89d6-4c91-98ac-8907eafe98c6", + "value": "Mars Stealer" + }, + { + "description": "The Oski stealer is a malicious information stealer, which was first introduced in November 2019. As the name implies, the Oski stealer steals personal and sensitive information from its target. “Oski” is derived from an old Nordic word meaning Viking warrior, which is quite fitting considering this popular info-stealer is extremely effective at pillaging privileged information from its victims.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.oski", + "https://twitter.com/albertzsigovits/status/1160874557454131200", + "https://www.bitdefender.com/blog/labs/", + "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer", + "https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601", + "https://yoroi.company/en/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", + "https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view", + "https://www.rapid7.com/solutions/unified-mdr-xdr-vm/", + "https://3xp0rt.com/posts/mars-stealer/", + "https://cyberint.com/blog/research/mars-stealer/", + "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468" + ] + }, + "uuid": "54b61c7e-8ced-4b90-a295-62102bfd4f32", + "value": "Oski Stealer" } ], - "version": 13 + "version": 14 }