New malware targeting crypto wallets with a grabber function that steals user private keys is attacking over 40 crypto wallets and popular two-factor authentication (2FA) extensions. According to a report from CoinTelegraph, the new cryptocurrency malware targets cryptocurrency wallets which work as browser extensions.
According to security researcher 3xp0rt, the new malware is dubbed Mars Stealer by its developers and is an upgrade from the info-stealing Oski trojan of 2019.
Mars Stealer written in ASM/C with using WinApi, weight is 95 kb. Uses special techniques to hide WinApi calls, encrypts strings, collects information in the memory, supports secured SSL-connection with C&C, doesn’t use CRT, STD
3xp0rt via his official blog post
MetaMask, Nifty Wallet, Coinbase Wallet, MEW CX, Ronin Wallet, Binance Chain Wallet and TronLink are just a few of the wallets that have been targeted. It is noted by the security expert that the malware can attack extensions that are installed on Chromium-based browsers except Opera. It is sad to note that some of the most popular browsers have made the list, such as Google Chrome, Microsoft Edge and Brave. As well as being safe from extensions-specific attacks, Firefox and Opera are also vulnerable to credentials-hijacking attacks.
The Mars Stealer can be spread through various means, such as file-hosting websites, torrent clients, or any other shady means of downloading. When malware infects a system, the first thing it does is check the language of the device. Should the language ID match that of Kazakhstan, Uzbekistan, Azerbaijan, Belarus or Russia, then the software leaves the system without causing any harm.
For the rest of the world, this malware targets a file that holds sensitive information such as the address of a crypto wallet and its private keys. Upon the theft being completed, the malware leaves the system by deleting any presence it has left.
As of right now, hackers are selling Mars Stealer for $140 on dark web forums, which means that for malicious actors the steps to gain access to the trojan are relatively simple. It is advised that users who handle their crypto assets in browser-based wallets or who use browser extensions such as Authy to manage their 2FA should exercise caution when clicking dubious links or downloading files.
