Web3 malware: Mars Stealer
What is Mars Stealer?
Mars Stealer is a malicious program that targets the victim’s sensitive personal data: once installed, it steals data from popular web browser applications, two-factor authentication plugins, and a large variety of cryptocurrency extensions and wallets.
Mars Stealer was first discovered in June 2021. It is based on the older Oski Stealer (support of which ended in July 2020).
The most popular method for spreading Mars Stealer is email spam campaigns. The infostealer is usually attached to the spam email as a form of a compressed exe file, download link, or doc payload. Other commonly used methods to spread Mars are fraudulent pirated software websites, malicious or infected software cracks and keygens.
Mars Stealer OpenOffice campaign
In the end of March, 2022 Morphisec described the Mars Stealer distributing campaign via cloned malicious Open Office sites and Google Ads usage.
Img by Morphisec
According to the Morphisec research, Mars’ target data was, for example :
- browser autofill data
- credit card information
- browser extension data: Metamask, Coinbase wallet, Binance, etc.
- system information such as IP, country code, timezone, etc.
Atomic Wallet Campaign
In early August, 2022, Mars Stealer was back in the news. It became known that some attackers were using a fake copy of the Atomic Wallet site to spread the Mars Stealer malware. The fake site had three options to download the crypto wallet. One of them, a download link for Windows, was malicious and led to a ZIP archive called “Atomic Wallet.zip”, which contained a malicious file that infected the victim’s device with Mars Stealer.
Mars Stealer description
Mars Stealer crypto extensions, wallets and 2FA plugins list looks frighteningly wide: it contains more than 30 items (source):
- MetaMask
- Binance Chain Wallet
- Coinbase Wallet
- Nifty Wallet
- Math Wallet
- Yoroi
- TronLink
- Guarda
- EQUAL Wallet
- Jaox Liberty
and many more.
Mohamed Ashraf, a malware analyst, reverse engineer and cryptographer, conducted a deep research of Mars Stealer in May, 2022.
Mars Stealer work overview from Mohamed Ashraf research
According to it, Mars Stealer has several features:
- Anti-analysis: Mars uses opaque predicates for obfuscation, adding complexity to the control flow
- String decryption: it decrypts some strings used for checks, the decryption goes via XOR function.
- Dynamic linking: the necessary addresses are extracted using a dedicated method, going through the exported kernel32.DLL functions, after which a specialized module is loaded into the address space and finally a function address is extracted from the specified dynamic link library.
- Default language checking: the malware does not infect users from several countries: Kazakhstan, Uzbekistan, Azerbaijan, Russia, Belarus. If the default language ID matches one of the countries listed above, Mars just exits.
- Anti-emulation: Mars exits if it’s executed with the computer name and the username used in Windows Defender Emulator.
- Anti-Debug: the malware creates a thread for BeingDebugged flag checking. If Mars is being debugged it exits.
- Expiration check: If the current time exceeds expiration time (which is set in a special variable), the Mars Stealer exits immediately.
How to stay protected?
Like any other malware, Mars Stealer must be downloaded to become dangerous.
Mars Stealer has been detected by many antivirus programs to date, so be sure to use good antivirus software. Still, since Mars Stealer seems to be in ongoing development and it is not the only malware in the crypto-world, the second tip is to stay alert, always check the links validity and download software from official sources only.
Stay tuned and find more about us and what we provide on our:
