A new powerful malware strain has been discovered, named Mars Stealer. Mars Stealer is a redesign of the Oski malware that shut down abruptly in 2020, and aims to compromise a victims cryptocurrency wallet.
Mars Stealer is an information-stealing malware that steals data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets.
In summer 2020, the hacking team behind the Oski trojan suddenly shut down their operation, and weren’t available for comment. Nearly a year later, Mars Stealer has surfaced on Russian-speaking hacking forums.
Security researcher 3xp0rt obtained a sample of the strain, and discovered that Mars Stealer is identical to Oski, albeit with additional functionality.
Mars Stealer uses a custom grabber that retrieves its configuration from the C2 and then proceeds to target the following applications:
Internet apps: Google Chrome, Internet Explorer, Microsoft Edge (Chromium Version), Kometa, Amigo, Torch, Orbitium, Comodo Dragon, Nichrome, Maxxthon5, Maxxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Brave, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, CyberFox, BlackHawk, IceCat, K-Meleon, Thunderbird.
2FA apps: Authenticator, Authy, EOS Authenticator, GAuth Authenticator, Trezor Password Manager.
Crypto extensions: TronLink, MetaMask, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaox Liberty, BitAppWllet, iWallet, Wombat, MEW CX, Guild Wallet, Saturn Wallet, Ronin Wallet, Neoline, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox Cyano Wallet, Byone, OneKey, Leaf Wallet, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite Client, ZilPay, Coin98 Wallet.
Crypto wallets: Bitcoin Core and all derivatives (Dogecoin, Zcash, DashCore, LiteCoin, etc), Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, Binance, Coinomi.
Mars Stealer will also capture and send the following basic information to the C2:
- IP and country
- Working path to EXE file
- Local time and time zone
- Language system
- Language keyboard layout
- Notebook or desktop
- Processor model
- Computer name
- User name
- Domain computer name
- Machine ID
- Installed software and their versions
Outlook is missing from the list of applications, but it can be assumed that it will be added in future releases.
Mars Stealer is a lean malware of just 95 KB in size, which attempts to evade security by using routines that hide API calls and string-encryption techniques using a combination of RC4 and Base64.
The information it collects is wrapped in memory, while all connections with the C2 are done with the SSL (Secure Sockets Layer) protocol, so they’re encrypted.
Mars Stealers’ code contains Sleep function intervals to perform timing checks that would result in a mismatch if a debugger is used.
Finally, the malware can remove itself after the user data has been exfiltrated or when the operator decides to wipe it.
Mars Stealer also checks if a user is based in countries historically part of the Commonwealth of Independent States, which is common for many Russian-based malware.
Currently, Mars Stealer is sold for $140 to $160 (extended version) on hacking forums, so it will likely get in the hands of numerous threat actors and be used in attacks in the future.
Protecting Your Cryptocurrency Threats Like Mars Stealer
Cryptocurrency and the blockchain stand to be a major driving factor in the technology of the future. However this popularity has attracted an element of cybercrime. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a user would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all internet users. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.