Created by: lindbergh
Date created: 2022-12-16
Last edited: 2023-01-24
Description: Heatmap of instances of ATT&CK techniques for Mars Stealer based on recent public CTI reporting (sources in notes for each technique).
Techniques (10)
-
Credentials from Web Browsers
ID: T1555.003
Tactics: Credential Access
Description: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)] Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file,AppData\Local\Google\Chrome\User Data\Default\Login Dataand executing a SQL query:SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API functionCryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.[[Microsoft CryptUnprotectData April 2018](https://app.tidalcyber.com/references/258088ae-96c2-4520-8eb5-1a7e540a9a24)]Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.[[Proofpoint Vega Credential Stealer May 2018](https://app.tidalcyber.com/references/c52fe62f-4df4-43b0-a126-2df07dc61fc0)][[FireEye HawkEye Malware July 2017](https://app.tidalcyber.com/references/7ad228a8-5450-45ec-86fc-ea038f7c6ef7)] Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://app.tidalcyber.com/technique/9503955c-fa53-452a-b717-7e23bfb4df83).Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.[[GitHub Mimikittenz July 2016](https://app.tidalcyber.com/references/2e0a95b2-3f9a-4638-9bc5-ff1f3ac2af4b)]
After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary’s objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).
Source: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
-
Exfiltration Over C2 Channel
ID: T1041
Tactics: Exfiltration
Description: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.Source: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
-
Hide Artifacts
ID: T1564
Tactics: Defense Evasion
Description: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.[[Sofacy Komplex Trojan](https://app.tidalcyber.com/references/a21be45e-26c3-446d-b336-b58d08df5749)][[Cybereason OSX Pirrit](https://app.tidalcyber.com/references/ebdf09ed-6eec-450f-aaea-067504ec25ca)][[MalwareBytes ADS July 2015](https://app.tidalcyber.com/references/b552cf89-1880-48de-9088-c755c38821c1)]Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.[[Sophos Ragnar May 2020](https://app.tidalcyber.com/references/04ed6dc0-45c2-4e36-8ec7-a75f6f715f0a)]Source: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
-
Obfuscated Files or Information
ID: T1027
Tactics: Defense Evasion
Description: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user’s action may be required to open and [Deobfuscate/Decode Files or Information](https://app.tidalcyber.com/technique/88c2fb46-877a-4005-8425-7639d0da1920) for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [[Volexity PowerDuke November 2016](https://app.tidalcyber.com/references/4026c055-6020-41bb-a4c8-54b308867023)] Adversaries may also use compressed or archived scripts, such as JavaScript.Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. [[Linux/Cdorked.A We Live Security Analysis](https://app.tidalcyber.com/references/f76fce2e-2884-4b50-a7d7-55f08b84099c)] Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. [[Carbon Black Obfuscation Sept 2016](https://app.tidalcyber.com/references/bed8ae68-9738-46fb-abc9-0004fa35636a)]Adversaries may also abuse [Command Obfuscation](https://app.tidalcyber.com/technique/d8406198-626c-5659-945e-2b5105fcd0c9) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. [[FireEye Obfuscation June 2017](https://app.tidalcyber.com/references/6d1089b7-0efe-4961-8abc-22a882895377)] [[FireEye Revoke-Obfuscation July 2017](https://app.tidalcyber.com/references/e03e9d19-18bb-4d28-8c96-8c1cef89a20b)][[PaloAlto EncodedCommand March 2017](https://app.tidalcyber.com/references/069ef9af-3402-4b13-8c60-b397b0b0bfd7)]
Source: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
-
Phishing
ID: T1566
Tactics: Initial Access
Description: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://app.tidalcyber.com/technique/01505d46-8675-408d-881e-68f4d8743d47)).[[Microsoft OAuth Spam 2022](https://app.tidalcyber.com/references/086c06a0-3960-5fa8-b034-cef37a3aee90)][[Palo Alto Unit 42 VBA Infostealer 2014](https://app.tidalcyber.com/references/c3eccab6-b12b-513a-9a04-396f7b3dcf63)] Another way to accomplish this is by forging or spoofing[[Proofpoint-spoof](https://app.tidalcyber.com/references/fe9f7542-bbf0-5e34-b3a9-8596cc5aa754)] the identity of the sender which can be used to fool both the human recipient as well as automated security tools.[[cyberproof-double-bounce](https://app.tidalcyber.com/references/4406d688-c392-5244-b438-6995f38dfc61)]Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,[[sygnia Luna Month](https://app.tidalcyber.com/references/3e1c2a64-8446-538d-a148-2de87991955a)][[CISA Remote Monitoring and Management Software](https://app.tidalcyber.com/references/1ee55a8c-9e9d-520a-a3d3-1d2da57e0265)] or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872)).[[Unit42 Luna Moth](https://app.tidalcyber.com/references/ec52bcc9-6a56-5b94-8534-23c8e7ce740f)]Source: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
-
Steal Application Access Token
ID: T1528
Tactics: Credential Access
Description: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).[[Auth0 – Why You Should Always Use Access Tokens to Secure APIs Sept 2019](https://app.tidalcyber.com/references/8ec52402-7e54-463d-8906-f373e5855018)] OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container’s token and thereby gain access to Kubernetes API commands.[[Kubernetes Service Accounts](https://app.tidalcyber.com/references/a74ffa28-8a2e-4bfd-bc66-969b463bebd9)]Token theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft’s Authorization Code Grant flow.[[Microsoft Identity Platform Protocols May 2019](https://app.tidalcyber.com/references/a99d2292-be39-4e55-a952-30c9d6a3d0a3)][[Microsoft – OAuth Code Authorization flow – June 2019](https://app.tidalcyber.com/references/a41c2123-8b8d-4f98-a535-e58e3e746b69)] An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.
Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user’s OAuth token.[[Amnesty OAuth Phishing Attacks, August 2019](https://app.tidalcyber.com/references/0b0f9cf6-f0af-4f86-9699-a63ff36c49e2)][[Trend Micro Pawn Storm OAuth 2017](https://app.tidalcyber.com/references/7d12c764-facd-4086-acd0-5c0287344520)] The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.[[Microsoft – Azure AD App Registration – May 2019](https://app.tidalcyber.com/references/36a06c99-55ca-4163-9450-c3b84ae10039)] Then, they can send a [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc).[[Microsoft – Azure AD Identity Tokens – Aug 2019](https://app.tidalcyber.com/references/44767d53-8cd7-44dd-a69d-8a7bebc1d87d)]
Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens[[Auth0 Understanding Refresh Tokens](https://app.tidalcyber.com/references/84eb3d8a-f6b1-4bb5-9411-2c8da29b5946)], allowing them to obtain new access tokens without prompting the user.
Source: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
-
Steal Web Session Cookie
ID: T1539
Tactics: Credential Access
Description: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]There are several examples of malware targeting cookies from web browsers on the local system.[[Kaspersky TajMahal April 2019](https://app.tidalcyber.com/references/1ed20522-52ae-4d0c-b42e-c680490958ac)][[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)] There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)) that can be set up by an adversary and used in phishing campaigns.[[Github evilginx2](https://app.tidalcyber.com/references/322e5d90-5095-47ea-b0e2-e7e5fb45fcca)][[GitHub Mauraena](https://app.tidalcyber.com/references/578ecf62-b546-4f52-9d50-92557edf2dd4)]After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1) technique to login to the corresponding web application.
Source: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
-
System Information Discovery
ID: T1082
Tactics: Discovery
Description: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Tools such as [Systeminfo](https://app.tidalcyber.com/software/cecea681-a753-47b5-9d77-c10a5b4403ab) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through thesystemsetupconfiguration tool on macOS. As an example, adversaries with user-level access can execute thedf -aHcommand to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather detailed system information (e.g.show version).[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)] [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.[[OSX.FairyTale](https://app.tidalcyber.com/references/27f8ad45-53d2-48ba-b549-f7674cf9c2e7)][[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.[[Amazon Describe Instance](https://app.tidalcyber.com/references/c0b6a8a4-0d94-414d-b5ab-cf5485240dee)][[Google Instances Resource](https://app.tidalcyber.com/references/9733447c-072f-4da8-9cc7-0a0ce6a3b820)][[Microsoft Virutal Machine API](https://app.tidalcyber.com/references/f565c237-07c5-4e9e-9879-513627517109)]Source: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
-
Unsecured Credentials
ID: T1552
Tactics: Credential Access
Description: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://app.tidalcyber.com/technique/065d1cca-8ca5-4f8b-a333-2340706f589e)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://app.tidalcyber.com/technique/cdac2469-52ca-42a8-aefe-0321a7e3d658)), or other specialized files/artifacts (e.g. [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a)).Source: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
-
User Execution
ID: T1204
Tactics: Execution
Description: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).While [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b).Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). For example, tech support scams can be facilitated through [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430).[[Telephone Attack Delivery](https://app.tidalcyber.com/references/9670da7b-0600-4072-9ecc-65a918b89ac5)]Source: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
