Notebookcheck Logo

New Mars Stealer malware targets Chrome-based browser crypto wallets

Scams and crypto-malware are more rampant than ever. (Image Source: Comodo cWatch)
Scams and crypto-malware are more rampant than ever. (Image Source: Comodo cWatch)
Security researcher warns that the Mars Stealer malware is now affecting Chrome-based browser crypto wallet extensions like MetaMask, Coinbase wallet and Binance chain wallet, plus it also compromises 2FA authenticators like Microsoft's Authenticator and Authy. Extensions for Firefox and Opera are not affected, but Mars Stealer may still hijack site credentials on these two browsers.

As cryptocurrencies are making their final push for mainstream adoption, more and more malicious third parties are jumping in to profit from users with very little experience in the ever-shifting crypto world. Scams are rampant and many crypto-exploiting malware programs like the new Mars Stealer are spreading very fast. According to a report from security researcher 3xp0rt, Mars Stealer is based on a 2020 Oski shell and is extremely lightweight at 95 kb. It is written in ASM/C using WinAPI and does a great job at hiding its actions, to the point where it deletes itself after stealing the password + seed phrase.

The Mars Stealer exploit can only identify crypto wallet credentials from Chrome-based browsers. Firefox and Opera appear to be safe from extension-specific attacks, but they remain vulnerable to site credential hijacking. Some of the more popular crypto wallet extensions affected by Mars Stealer include MetaMask, Binance Chain Wallet, Coinbase Wallet and Coin98 Wallet. It also affects 2FA authenticator extensions like Authenticator, Authy and Trezor Password Manager, plus specific coin wallets like Bitcoin Core, Ethereum, Exodus, Binance etc.

This malware is easily spread through file-hosting websites, torrents and cleverly camouflaged download links. It has a very peculiar method of operation as it first checks the OS language and if it identifies this being associated with Kazakhstan, Uzbekistan, Azerbaijan, Belarus or Russia, it deletes itself without causing any harm. Otherwise, it proceeds to attack the kernel32.dll file and then finds the default web browser app data folder with the user info.

CoinTelegraph informs that Mars Stealer is currently available for only $140 on the dark web forums. Users that are holding cryptocoins in browser-based wallets should be wary as far as downloads from dubious sites are concerned, and eventually migrate to a hardware wallet for added protection.


Buy the Ledger Nano X Crypto Hardware Wallet on Amazon

static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2022 02 > New Mars Stealer malware targets Chrome-based browser crypto wallets
Bogdan Solca, 2022-02- 4 (Update: 2022-02- 4)