The Mars Stealer malware is only 95kb in size, but the level of danger is alarming when it can attack a variety of targets such as popular browsers, cryptocurrency wallets, and two-factor authentication.
In early February, security researcher 3xp0rt published a detailed analysis of this malicious code. Accordingly, Mars Stealer is an upgrade of the Oski (2019) trojan and can rob the cryptocurrency stored in the user’s wallet by attacking the wallet’s browser extensions.
“Mars Stealer is written in ASM/C using WinApi, about 95kb in size. Use special techniques to hide WinApi commands, encrypt strings, collect in-memory information, support secure SSL connections with C&C, don’t use CRT, STD”, 3xp0rt describes.
3xp0rt notes that Mars Stealer can easily penetrate crypto-related extensions, including popular wallets like MetaMask, Nifty wallet, Coinbase wallet, Binance Chain wallet, and Tron Link. This malicious code targets Chromium kernel extensions, so browsers like Google Chrome, Coc Coc, or Microsoft Edge (chromium version) will be affected.
In addition, Mars Stealer can extract valuable computer-related information such as processor, computer name, machine ID, GUID, installed software and their versions, username, and name computer domain.
As for how it works, the malware into wallet extensions by spreading through various sources, including file-hosting sites, torrent clients, and untrusted sites. After breaking into the crypto wallet extension, the malicious code will break the private key as well as the two-factor security (Google Authenticator, Authy, GAuth Authenticator, or Trezor Password Manager), and then delete all traces of theft. steal and get rid of the extension.
In addition, Mars Stealer has the ability to “evade” security software by hiding API calls and string encryption techniques, while the collected information will be protected in device memory and transmitted. download via the SSL method. Therefore, detecting, preventing, and tracing becomes extremely difficult.
However, an unusual point on Mars Stealer is that this software will first check the user’s country of origin. If the user’s language is Azerbaijani, Russian, Kazakh, Belarusian, Azerbaijani, or Uzbekistani, this program will not commit bad behavior and just quietly withdraw.
Up to now, there are still no statistics on the number of victims of this malicious code. However, these malware targets have tens of millions of users, raising huge security concerns.