New Mars Stealer malware targets Chrome-based browser crypto wallets
As cryptocurrencies are making their final push for mainstream adoption, more and more malicious third parties are jumping in to profit from users with very little experience in the ever-shifting crypto world. Scams are rampant and many crypto-exploiting malware programs like the new Mars Stealer are spreading very fast. According to a report from security researcher 3xp0rt, Mars Stealer is based on a 2020 Oski shell and is extremely lightweight at 95 kb. It is written in ASM/C using WinAPI and does a great job at hiding its actions, to the point where it deletes itself after stealing the password + seed phrase.
The Mars Stealer exploit can only identify crypto wallet credentials from Chrome-based browsers. Firefox and Opera appear to be safe from extension-specific attacks, but they remain vulnerable to site credential hijacking. Some of the more popular crypto wallet extensions affected by Mars Stealer include MetaMask, Binance Chain Wallet, Coinbase Wallet and Coin98 Wallet. It also affects 2FA authenticator extensions like Authenticator, Authy and Trezor Password Manager, plus specific coin wallets like Bitcoin Core, Ethereum, Exodus, Binance etc.
This malware is easily spread through file-hosting websites, torrents and cleverly camouflaged download links. It has a very peculiar method of operation as it first checks the OS language and if it identifies this being associated with Kazakhstan, Uzbekistan, Azerbaijan, Belarus or Russia, it deletes itself without causing any harm. Otherwise, it proceeds to attack the kernel32.dll file and then finds the default web browser app data folder with the user info.
CoinTelegraph informs that Mars Stealer is currently available for only $140 on the dark web forums. Users that are holding cryptocoins in browser-based wallets should be wary as far as downloads from dubious sites are concerned, and eventually migrate to a hardware wallet for added protection.