Executive Summary
A malware researcher on Twitter, @ViriBack, recently discovered a fake Atomic Wallet site distributing Mars Stealer.
Key Takeaways
- Mars Stealer is a stealer malware based on Oski Stealer and has been active in the wild since at least June 2021.
- Mars Stealer disguises itself as another application or plugin.
- Mars Stealer steals information from many popular browsers, browser extensions, crypto wallets and extensions, and authenticator apps.
Mars Stealer, reported earlier this year by Morphisec and Kaspersky, is a stealer malware. Earlier this month, @ViriBack, a malware researcher on Twitter, discovered a fake Atomic Wallet site at atomic-wallet[.]net distributing Mars Stealer.
According to Morphisec, Mars Stealer is based on Oski Stealer and was discovered in June 2021. They noted Mars Stealer is available for sale on several underground forums and continues to be under development. A lifetime subscription to Mars Stealer was available for under $200 USD. Mars Stealer steals user credentials stored in internet browsers and crypto wallets. At the time, Mars Stealer was being distributed via social engineering, malspam, and tainted software cracks and keygens.
Mars Stealer disguises itself as another application or plugin. It checks the victim machine’s language settings and uninstalls itself if the language is set to Uzbekistan, Russia, Azerbaijan, Belarus, or Kazakhstan. It searches the victim machine for various types of information and uninstalls itself after stealing the desired information. Information stolen by Mars Stealer includes browser autofill data, credit card information, plugins, and information identifying victim machines. In the sample Morphisec analyzed, the threat actor compromised their own computer with Mars Stealer while debugging.
Browsers and extensions targeted by Mars Stealer include Chrome, Edge, Internet Explorer, Brave, Kometa, Amigo, Torch, Orbitium, Comodo Dragon, Nichrome, Maxxthon5, Maxxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, Cyberfox, BlackHawk, K-Meleon, and Thunderbird.
Previously, MetaMask crypto wallet was the most stolen plugin targeted by Mars Stealer. Other crypto wallets and plugins targeted include Coinbase Wallet, Binance Wallet, Math Wallet, TronLink, Yoroi, Nifty Wallet, Guarda, EQUAL Wallet, Jaox Liberty, BitAppWallet, iWallet, Wombat, MEW CX, Guild Wallet, Saturn Wallet, Ronin Wallet, Neoline, Clover Wallet, Liquality Wallet, Terra Station, Kepler, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox, Cyano Wallet, Byone, OneKey, Leaf Wallet, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite Client, ZilPay, Coin98 Wallet, Bitcoin Core, Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, and Coinomi.
Two-factor authentication plugins targeted by Mars Stealer include Authenticator, Authy, EOS Authenticator, GAuth Authenticator, and Trezor Password Manager.
IOCs
PolySwarm has multiple samples of Mars Stealer, including the sample reported by @ViriBack.
Mars Stealer Sample Reported By @ViriBack
33d0d9fe89f0dba2b89347a0e2e6deb22542476d98676187f8c1eb529cb3997f
Other Mars Stealer Samples
c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14
38807bc99d0f9a78480d3b12cfc96cdbfdb83bc277758595e77808b9b22ac087
bb48381955c8676b866760129db84ffce2e0b9c1fdd6a0179ab022dbf6fea708
10731eea825c6bbcd5c543b2c98f4de384b36279cabba22fa247cda865c59093
af023cd8d2dcbeccfaf197094721768593154fc35019534a399563b011862a91
c26e405d1f07a9090e83454a7a978d5a89ef4764b00e7b354e6b2bb653e49378
9ed18a0b5e15bd4ecb73c5428e208b5d1b162274cfb0d6c62f7b5c3a04ec4d56
ab7e7d8594befb5a7137ec323db87a4aacfa64260327d61eee30626a760c3d5b
d5ee3a86821e452c33f178dc080aff7ca5054518a719ef74320909cbb55bb6c5
36613d674b4737da2b2986d9a49b48d06f1233cc7ea6aa7386bdb6d4bec90301
b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42
c3c1549bdd5613e9dbc3f09963cd1bd0f303b6f33bb4df62d9260590869cadec
8f925aa659cdab2466d2860dfc06d14d1c384c7a449683813db8d9219ed333c9
6929dae4d2bf6d2086bca0389e967f2c43bfb940da09b175b39df5fa1684a027
3de1fb0d1108907fd61d6d6b9a4c6b856af509e0af35578f158cfce5d634fe07
f5e8c363f36cd7bd8463f6252e5b4f425497bc52791d08135c17b50d5af74e3b
6127c3a8a3beddebfc95763297a9d82f62a5f4876fda72572fc1726175ca661e
74bfe5ca2057b8ddfe60cbf17a402f268b73a4a13e45692aa4c9a8e59d7fd975
2d299fcdf7562306634b74f187b445ad17ca07495d2a36ffca86c7425a7982db
589d96d711610e017ec4d9141e3fccceaa31f1b061c3a21edfe88a1f16d257f4
5d0bbe43bd6c4e62659bef070a8cdbacb4b53575de4e2e59dc085d02833e2819
27afc8d7727c80c934d73e4aa021ab138b99149023dbc1625c8d4ba867981652
c44d11be09790eecbbcddb8aef7e800708b71ab7ba443cb2beb0d164bfbeaf0b
7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625
ed427feb185f07a51de0194f1165ebaeb002f2b8c9b08d974219be5c6075c6fb
7da3029263bfbb0699119a715ce22a3941cf8100428fd43c9e1e46bf436ca687
You can use the following CLI command to search for all Mars Stealer samples in our portal:
$ polyswarm link list -f MarsStealer
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
