Mars Stealer - dangerous malware that silently steals cryptocurrency

In early February, security researcher 3xp0rt published detailed analysis of this malicious code. Accordingly, Mars Stealer is an upgrade of the Oski (2019) trojan and can rob the cryptocurrency stored in the user's wallet by attacking the wallet's browser extensions.

'Mars Stealer is written in ASM/C using WinApi, about 95kb in size. Use special techniques to hide WinApi commands, encrypt strings, collect in-memory information, support secure SSL connection with C&C, don't use CRT, STD', 3xp0rt description.

Mars Stealer - dangerous malware that silently steals cryptocurrency Picture 1

Mars Stealer is a concern as it targets many popular browsers, security browsers and crypto wallets

3xp0rt notes that Mars Stealer can easily hack crypto-related extensions, including popular wallets like MetaMask, Nifty wallet, Coinbase wallet, Binance Chain wallet, and Tron Link. This malicious code targets Chromium kernel extensions, so browsers like Google Chrome, Coc Coc or Microsoft Edge (chromium version) will be affected.

In addition, Mars Stealer can extract valuable computer related information such as processor, computer name, machine ID, GUID, installed software and their versions, username and name computer domain.

As for how it works, the malware gets into wallet extensions by spreading through various sources, including file hosting sites, torrent clients, and untrusted sites. After breaking into the crypto wallet extension, the malicious code will break the private key as well as the two-factor security (Google Authenticator, Authy, GAuth Authenticator or Trezor Password Manager), and then delete all traces of theft. steal and get rid of the extension.

In addition, Mars Stealer has the ability to "evade" security software by hiding API calls and string encryption techniques, while the collected information will be protected in device memory and transmitted. download via SSL method. Therefore, detecting, preventing and tracing becomes extremely difficult.

However, an unusual point on Mars Stealer is that this software will first check the user's country of origin. If the user's language is Azerbaijani, Russian, Kazakh, Belarusian, Azerbaijani or Uzbekistani, this program will not commit bad behavior and just quietly withdraw.

Mars Stealer - dangerous malware that silently steals cryptocurrency Picture 2

With certain regional and language configurations, malicious code will "let go"

Up to now, there have not been any statistics on the number of victims of this malicious code. However, these malware targets have tens of millions of users, raising huge security concerns.

David Pac

Update 09 February 2022