Hello, welcome to the Thursday, March 24th, 2020 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida.

We've got another great malware write-up by Brad, and he this time looked at Mars Steeler.

Mars Steeler is derived from older Malware and, well, Brad documents that Vidal and Oski Steeler were basically precursors of this Malware.

What's sort of interesting here is that the malware, when it's being installed, it's not

it's just installing itself, it's being installed is not just installing itself.

It's also installing six different DLL files that are actually themselves not malicious.

Four of these are Thunderbird files like DLLs, like for example, NSS and SoftToken and Mosklu are some of these DLs that are being

installed by Mars Steeler, and it uses the functionality of these legitimate DLs then in order

to facilitate its data exfiltration.

Mars Dealer may arrive via various downloaders.

It's then downloaded as a SIP file.

The SIP file does also include these non-malicious DLs.

And well, then it starts with exfiltrating, commonly stolen data from the system it infects.

The X-Filtrate data is wrapped up in a SIP file and then essentially just uploaded to a website.

P-CAPs of actually all three different variants, so the old ones going back to 2019, as well as the latest one, the Mars dealer from this month,

are available with links in Brad's diary.

And we got a little bit more insight in what happened with Octa.

So apparently on January 20th, an employee of Sightel.

Cytle is a company that provides outsourced customer support was compromised,

and then the access gained from this employee's system was used to access 366 different octa customers.

How much access was gained here with these customers

isn't necessarily obvious based on the blog post.

...