Mars Stealer, a newly released information-stealing malware version, is gaining traction, and security experts are now noticing the first large-scale operations using it. This is a reimagining of the Oski malware, which was discontinued in 2020. It has sophisticated information-stealing capabilities and targets a wide range of programs. Mars Stealer expanded modestly until lately when the unexpected shutdown of Raccoon Stealer pushed hackers to seek alternatives. It was promoted on hacking forums at inexpensive pricing of $140 to $160.
Mars Stealer has been inundated with new users, and because the service works similarly to Raccoon, it’s poised to become the launchpad for a slew of new initiatives. Morphisec threat experts say they’ve seen many of these recent efforts, including one that uses a cracked version of the malware and distributes instructions on employing it. Morphisec discovered a new Mars Stealer campaign that uses Google Ads to promote copied OpenOffice sites in Canadian search results. OpenOffice, a once-popular open-source office suite that is now owned by the Apache Foundation, has been superseded by LibreOffice, which began as a fork of OpenOffice in 2010. On the other hand, OpenOffice continues to receive a decent number of daily downloads from users looking for a free document and spreadsheet editor. It’s possible that the threat actors didn’t clone the far more popular LibreOffice since doing so would result in a speedy takedown owing to widespread reports.
The fake site’s OpenOffice installer is a Mars Stealer executable with the Babadeda crypter or the Autoit loader, infecting the users without their knowledge. The operator has exposed the victims’ ‘logs’ directory due to a flaw in the cracked version’s configuration instructions, providing any
visitor complete access. A log is a compressed file including data taken by a Trojan and transferred to the command-and-control servers of threat actors.
Mars Stealer seems to have stolen browser auto-fill data, browser extension data, IP addresses, credit cards, country codes, and time zone data in this campaign. The sensitive information of the threat actor was also revealed because the actor compromised himself with a copy of Mars Stealer while debugging. This oversight led researchers to link the attacks to a Russian speaker and identify the threat actor’s GitLab accounts, stolen credentials used to pay for Google Ads, etc.
Mars Stealer is an increasing threat, with over 47 darknet sites and hacker forums, Telegram groups, and “unofficial” distribution routes such as the cracked pack promoting it. According to Morphisec, the operators of these info-stealers are mainly focused on cryptocurrency assets. MetaMask, Binance Wallet, Coinbase Wallet, Math wallet, and all “hot” wallets for managing cryptocurrency assets were the most stolen browser plugins from the investigated campaign.
Morphisec also discovered credentials belonging to a Canadian healthcare infrastructure provider and compromised signals on other high-profile Canadian service businesses. To protect yourself from data thieves, make sure you only click on legitimate sites rather than Google Ad results, and always check downloaded executables with your antivirus software before running them. 3xp0rt’s analysis of the new Mars Stealer malware is recommended for individuals interested in a technical dive into the new malware variant.