The script was named “DZWhBTixXsCjSOuNobQfpImvelygwUznrLHGPtkFAaMKVYcJ.cMd”,.bat script is written in a way to be confusing as follows: Beginning Analysis of Mars DeimosĪs is common when PowerShell is being executed maliciously, the. For persistence, shortcuts on the desktop were modified to call the. bat script and an unreadable file without an extension. The executable then dropped two files: a. My analysis began at this stage and I do not have access to the earlier stages, but it appears that a user downloaded an executable that was disguised as a Word document.
The binary for this analysis appears to be the fourth or fifth stage (according to CrowdStrike) and is the persistent backdoor. How the Mars Deimos malware is deliveredĪccording to the analysis by CrowdStrike and Morphisec, Mars Deimos normally has several stages. Because Mars Deimos is a present-day threat, it is important for administrators and analysts to recognize and understand the scripts if they are found. My goal in this post is provide analysis of the persistence script. Jupyter shares some IOC with Mars Deimos, which can complicate things, but they are maintained independently by the malware authors and have different functionality. In the Solarwinds analysis, it is called “D:M” by the malware author, so it seems like the name “Mars Deimos” is appropriate to maintain. In the original script, you can see it called “Mars Deimos” but I could not find any information about it under that name. Note on naming: Though it can be confusing if there are too many names for the same malware, I want to maintain calling it “Mars Deimos” in order to assist defenders. The Jupyter variant shares functionality with Mars Deimos but can also steal cookies from browsers. Mars Deimos is a C2 client and the binary under analysis is the backdoor stage of the malware. The particular binary studied here appears to be tracked internally by the author as “Mars Deimos AppVersion RS-2”. It shares Indicators of Compromise (IOC) with a directly related malware which has been documented as Jupyter Infostealer by Morphisec. It has also been documented as Solarmarker by CrowdStrike. However, the information is still important for defenders as there are still old infections that resemble the documented behavior, and the tactics can be used by other actors. Some information in this post does not reflect the current version of the malware. Since the original post, the threat actor has been updating their malware and their tactics weekly.
In order to ensure this research is visible to a broader audience, this employee agreed to let us share it here. Note: this post was originally shared on by a member of the Binary Defense Team.
0 kommentar(er)
