Powerful new Oski variant ‘Mars Stealer’ grabbing 2FAs and crypto

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,520
A new and powerful malware named ‘Mars Stealer’ has appeared in the wild, and appears to be a redesign of the Oski malware that shut down development abruptly in the summer of 2020.
Mars Stealer is an information-stealing malware that steals data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets.

Additionally, the malware can exfiltrate files from the infected system and relies on its own loader and wiper, which minimizes the infection footprint.

From Oski to Mars Stealer​

In July 2020, the developers behind the Oski information-stealing trojan suddenly shut down their operation after no longer responding to buyers and the closing of their Telegram channel.
Fast forward almost a year later, and a new information-stealing malware called 'Mars Stealer' began to be promoted on Russian-speaking hacking forums.
... ...
 

pablozi

Level 27
Verified
Helper
Top poster
Well-known
Jun 14, 2011
1,653
Users are warned against a new malware designed to steal crypto from browser extension wallets like MetaMask and Coinbase Wallet.

Security was never the strong suit of browser-based crypto wallets to store Bitcoin (BTC), Ether (ETH) and other cryptocurrencies. However, new malware makes the safety of online wallets even more complicated by directly targeting crypto wallets that work as browser extensions such as MetaMask, Binance Chain Wallet or Coinbase Wallet.

Named Mars Stealer by its developers, the new malware is a powerful upgrade on the information-stealing Oski trojan of 2019, according to security researcher 3xp0rt. It targets more than 40 browser-based crypto wallets, along with popular two-factor authentication (2FA) extensions, with a grabber function that steals users’ private keys.

MetaMask, Nifty Wallet, Coinbase Wallet, MEW CX, Ronin Wallet, Binance Chain Wallet and TronLink are listed as the targeted wallets. The security expert notes that the malware can target extensions on Chromium-based browsers except Opera. Sadly, it means some of the most common browsers like Google Chrome, Microsoft Edge and Brave made it to the list. Also, while they are safe from extension-specific attacks, Firefox and Opera are also vulnerable to credential-hijacking.
 
  • +Reputation
Reactions: upnorth