A malware researcher on Twitter, @ViriBack, recently discovered a fake Atomic Wallet site distributing Mars Stealer.
- Mars Stealer is a stealer malware based on Oski Stealer and has been active in the wild since at least June 2021.
- Mars Stealer disguises itself as another application or plugin.
- Mars Stealer steals information from many popular browsers, browser extensions, crypto wallets and extensions, and authenticator apps.
Mars Stealer, reported earlier this year by Morphisec and Kaspersky, is a stealer malware. Earlier this month, @ViriBack, a malware researcher on Twitter, discovered a fake Atomic Wallet site at atomic-wallet[.]net distributing Mars Stealer.
According to Morphisec, Mars Stealer is based on Oski Stealer and was discovered in June 2021. They noted Mars Stealer is available for sale on several underground forums and continues to be under development. A lifetime subscription to Mars Stealer was available for under $200 USD. Mars Stealer steals user credentials stored in internet browsers and crypto wallets. At the time, Mars Stealer was being distributed via social engineering, malspam, and tainted software cracks and keygens.
Mars Stealer disguises itself as another application or plugin. It checks the victim machine’s language settings and uninstalls itself if the language is set to Uzbekistan, Russia, Azerbaijan, Belarus, or Kazakhstan. It searches the victim machine for various types of information and uninstalls itself after stealing the desired information. Information stolen by Mars Stealer includes browser autofill data, credit card information, plugins, and information identifying victim machines. In the sample Morphisec analyzed, the threat actor compromised their own computer with Mars Stealer while debugging.
Browsers and extensions targeted by Mars Stealer include Chrome, Edge, Internet Explorer, Brave, Kometa, Amigo, Torch, Orbitium, Comodo Dragon, Nichrome, Maxxthon5, Maxxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, Cyberfox, BlackHawk, K-Meleon, and Thunderbird.
Previously, MetaMask crypto wallet was the most stolen plugin targeted by Mars Stealer. Other crypto wallets and plugins targeted include Coinbase Wallet, Binance Wallet, Math Wallet, TronLink, Yoroi, Nifty Wallet, Guarda, EQUAL Wallet, Jaox Liberty, BitAppWallet, iWallet, Wombat, MEW CX, Guild Wallet, Saturn Wallet, Ronin Wallet, Neoline, Clover Wallet, Liquality Wallet, Terra Station, Kepler, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox, Cyano Wallet, Byone, OneKey, Leaf Wallet, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite Client, ZilPay, Coin98 Wallet, Bitcoin Core, Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, and Coinomi.
Two-factor authentication plugins targeted by Mars Stealer include Authenticator, Authy, EOS Authenticator, GAuth Authenticator, and Trezor Password Manager.
PolySwarm has multiple samples of Mars Stealer, including the sample reported by @ViriBack.
Mars Stealer Sample Reported By @ViriBack
Other Mars Stealer Samples
You can use the following CLI command to search for all Mars Stealer samples in our portal:
$ polyswarm link list -f MarsStealer
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports