New dangerous malware targets browser-based cryptocurrency wallets. The malicious software called Mars Stealer is capable of stealing private keys and logins to 2-Factor Authenticator (2FAs) plugins.
Its targets include widely used browser-based cryptocurrency wallets like MetaMask, Coinbase Wallet, Nifty Wallet, Ronin Wallet, MEW CX, Binance Chain Wallet, TronLink and around 40 other cryptocurrency wallets.
Credential-stealing malware
Mars Stealer is the newer version of Oski Stealer, the malware that first appeared back in 2019 and was used to steal personal and sensitive information that was later offered for sale on Russian underground hacking forums, reported the programmer and malware analyst 3xp0rt.
The malicious software operates by extracting content and information from infected devices. It uses special techniques to collect information from the memory of browser extensions, cryptocurrency wallets, and 2FAs.
Being a lightweight malware of only 95kb weight, Mars Stealer does not strain the infected operating system and thus does not emit any obvious signs of it being compromised. Apart from that, it has the ability to remove itself after the data has been stolen.
Targets multiple browsers
The new malware targets the most popular web browsers, including Chrome (V80), Microsoft Edge (Chromium Version), Internet Explorer, Opera (Stable, GX, Neon), Firefox, Brave, Thunderbird, TorBro Browser, SputnikBrowser, and many more. Only the Apple-developed Safari OS has not been mentioned on the target list.
According to the expert, dozens of crypto extensions and wallets like Bitcoin Core, Atomic, Binance, Coinomi, Ethereum, Electrum, Electron Cash, Exodus, JAXX, MultiDoge are also vulnerable to the attacks of Mars Stealer.
Furthermore, the malware targets 2FA plugins. The expert named Authenticator, Authy, EOS Authenticator, GAuth Authenticator, Trezor Password Manager as the main targets.
Mars Stealer also threatens to capture additional information like IP address, country, time zone, keyboard layout, software installed, user names and more.
Hints lead to Russia
Although there is no direct proof that Mars Stealer is some kind of a “Russian export”, several facts hint that it might be originating from there.
The malware is an updated version of Oski Stealer, which appeared to be of Russian origin and sold over the Russian-speaking hacker forums.
Promotion of Mars Stealer has also started on the Russian forums last year. Currently, the private key stealing malware is being sold for around $140 on the hacker forums.
Users have to stay cautious
It depends on hackers’ imagination on how they start to distribute malware. However, the common ways include spreading it via shady download channels, unofficial file-hosting and P2P sharing websites.
The fraudsters may also involve spam campaigns, spreading hundreds of thousands of emails with the infected links or files attached.
To minimize the risk of malware infection, cybersecurity experts advise regularly updating apps and software. It is also important not to use unofficial or unverified web sources and not to open suspicious emails, links, or attachments.
Other than that, cryptocurrency users should never share their private key data with anyone and be especially wary of any pop-ups asking to provide such info. To maximize the secure storage of digital assets, experts advise considering the usage of cold-storage cryptocurrency wallets.