- Mars Stealer is an improved copy of its predecessor, the Oski Stealer.
- The malware uses special techniques to collect information from the memory of crypto browser extensions, wallets and 2FAs.
- Credential theft malware continues to be one of the most prevalent types of malware used in cyberattacks.
Share this article
An improved copy of the Oski Stealer malware (first introduced in November 2019) known as “Mars Stealer” has appeared in the wild and is capable of stealing crypto from popular browser extensions.
A Lightweight, Malicious Program
Mars Stealer is a lightweight malicious program of just 95KB in size, but the security issue it represents is no small thing.
Mars Stealer uses a custom grabber to retrieve its configuration from the command and control infrastructure and then proceeds to target application data from popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets.
The Trojan malware began circulating on Russian-speaking hacking forums in the summer of 2021 and is able to infect systems through dubious download channels (e.g., unofficial and free file-hosting websites, peer-to-peer sharing networks such as torrent clients, and other third-party downloaders).
Amongst the most popular list of cryptocurrency browser plug-ins Mars Stealer is capable of exploiting are MetaMask, Binance Chain Wallet, Nifty Wallet, Coinbase Wallet and Guarda. It is also capable of exploiting Bitcoin Core, Electrum, Exodus, Atomic, Binance, Coinomi.
Two-factor authentication applications such as Authy and GAuth Authenticator, as well as web browsers such as Brave, Opera, and Firefox, are also susceptible to being targeted by the Mars Stealer.
One particularly interesting feature of this malicious software is that it checks if a user is based in a country that is historically part of the Commonwealth of Independent States. If the device’s language ID matches Russia, Belarus, Kazakhstan, Azerbaijan, Uzbekistan, and Kazakhstan, the program will exit without performing any malicious behavior.
In summary, this form of malware can cause multiple headaches to its victims, including system infections, privacy issues, financial losses, and identity theft. A detailed technical analysis of the malware can be read in this publication by researcher @3xp0rt.
Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies.
$120M Lost in BadgerDAO DeFi Hack
BadgerDAO, a DeFi protocol for earning yield with tokenized Bitcoin on Ethereum, has fallen victim to an attack. The hacker reportedly added a malicious script to the protocol’s frontend website,…
$8 Million Nexus Mutual Hacker Lives in Singapore, Says Team
The attacker who stole more than $8 million worth of NXM from Hugh Karp has cashed out a significant portion of his stash. Nexus Mutual has identified many clues pointing…
$136M Lost as Cream Finance Suffers Another Flash Loan Attack
Decentralized lending protocol Cream Finance has been hit by a major flash loan attack. The assailant borrowed $2 billion from Aave and made off with over $136 million worth of…
Audience Survey Win A $360 Subscription To Pro BTC Trader
Answer the questions below and share your email for a chance to win. Every month, 5 people will receive a $360 1-year subscription to Pro BTC Trader. Free. We’re doing…