Join the hunt for $12,000,000+ in NEXO Tokens!

Learn More

"Mars Stealer" Malware Can Grab Your Crypto

Mars Stealer was created on top of the older, abandoned Oski Stealer codebase.

"Mars Stealer" Malware Can Grab Your Crypto
Shutterstock cover by Yuttanas

Key Takeaways

  • Mars Stealer is an improved copy of its predecessor, the Oski Stealer.
  • The malware uses special techniques to collect information from the memory of crypto browser extensions, wallets and 2FAs.
  • Credential theft malware continues to be one of the most prevalent types of malware used in cyberattacks.

Share this article

An improved copy of the Oski Stealer malware (first introduced in November 2019) known as “Mars Stealer” has appeared in the wild and is capable of stealing crypto from popular browser extensions.

A Lightweight, Malicious Program

Mars Stealer is a lightweight malicious program of just 95KB in size, but the security issue it represents is no small thing.

Mars Stealer uses a custom grabber to retrieve its configuration from the command and control infrastructure and then proceeds to target application data from popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets. 

The Trojan malware began circulating on Russian-speaking hacking forums in the summer of 2021 and is able to infect systems through dubious download channels (e.g., unofficial and free file-hosting websites, peer-to-peer sharing networks such as torrent clients, and other third-party downloaders).

Amongst the most popular list of cryptocurrency browser plug-ins Mars Stealer is capable of exploiting are MetaMask, Binance Chain Wallet, Nifty Wallet, Coinbase Wallet and Guarda. It is also capable of exploiting Bitcoin Core, Electrum, Exodus, Atomic, Binance, Coinomi.

Two-factor authentication applications such as Authy and GAuth Authenticator, as well as web browsers such as Brave, Opera, and Firefox, are also susceptible to being targeted by the Mars Stealer.

One particularly interesting feature of this malicious software is that it checks if a user is based in a country that is historically part of the Commonwealth of Independent States. If the device’s language ID matches Russia, Belarus, Kazakhstan, Azerbaijan, Uzbekistan, and Kazakhstan, the program will exit without performing any malicious behavior.

In summary, this form of malware can cause multiple headaches to its victims, including system infections, privacy issues, financial losses, and identity theft. A detailed technical analysis of the malware can be read in this publication by researcher @3xp0rt.

Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies. 

Share this article