New dangerous malware is targeting browser-based cryptocurrency wallets. The malicious software, called Mars Stealer, is capable of stealing private keys and logins to 2-Factor Authenticator (2FAs) plugins.
Its targets include widely used browser-based cryptocurrency wallets like MetaMask, Coinbase Wallet, Nifty Wallet, Ronin Wallet, MEW CX, Binance Chain Wallet, TronLink and approximately 40 others.
Credential Stealing Malware
Mars Stealer is an updated version of Oski Stealer, the malware that first appeared back in 2019 and was used to steal personal and sensitive information later offered for sale on Russian underground hacking forums, as reported by programmer and malware analyst 3xp0rt.
The malicious software operates by extracting content and information from infected devices. It uses special techniques to collect information from the memory of browser extensions, cryptocurrency wallets, and 2FAs.
Being a lightweight malware at only 95kb in size, Mars Stealer does not strain the infected operating system, and thus does not emit any of the typical signs of compromise. Additionally, the malware has the ability to remove itself once it has extracted the necessary data.
Multiple Browsers Targeted
The new malware targets most popular web browsers, including Chrome (V80), Microsoft Edge (Chromium Version), Internet Explorer, Opera (Stable, GX, Neon), Firefox, Brave, Thunderbird, TorBro Browser, SputnikBrowser, and many more. Only the Apple-developed Safari OS has evaded being on the target list, at least so far.
According to the expert, dozens of crypto extensions and wallets, such as Bitcoin Core, Atomic, Binance, Coinomi, Ethereum, Electrum, Electron Cash, Exodus, JAXX, and MultiDoge, are also vulnerable to attacks by the Mars Stealer.
Furthermore, the malware also targets 2FA plugins. The expert named Authenticator, Authy, EOS Authenticator, GAuth Authenticator, and Trezor Password Manager as the main targets.
Mars Stealer also threatens the ability to obtain additional information like a user’s IP address, country, time zone, keyboard layout, installed software, usernames, and more.
Hints Lead to Russia
Although there is no direct proof that Mars Stealer is some kind of a “Russian export,” there are several factors that hint that the malware might have originated there.
The malware is an updated version of Oski Stealer, which appeared to be of Russian origin and was sold over Russian-speaking hacker forums.
The promotion of Mars Stealer seemingly also started on such Russian forums last year. Currently, the private key stealing malware is being sold for around $140 on hacker forums.
Users Must Stay Cautious
How the malware ends up being distributed depends on hackers’ imagination. However, common methods include spreading it via shady download channels, unofficial file-hosting, and P2P sharing websites.
The fraudsters may also invoke the use of spam campaigns, spreading hundreds of thousands of emails with infected links or attached files.
To minimize the risk of malware infection, cybersecurity experts advise regularly updating apps and software. It is also important not to use unofficial or unverified web sources, and not to open suspicious emails, links, or attachments.
It should go without saying that cryptocurrency users should never share their private key data with anyone, and be especially wary of any pop-ups asking for such info. To maximize the secure storage of digital assets, experts advise considering the usage of cold-storage cryptocurrency wallets.