Mars Stealer Spreads via Google Ads
Mars Stealer, a sophisticated information stealing malware is gaining attention. This is a reimagining of the Oski malware, which was discontinued in 2020. Mars Stealer expanded modestly until lately when the unexpected shutdown of Raccoon Stealer pushed hackers to seek alternatives.
Researchers discovered Mars Stealer campaign that uses Google Ads to promote copied OpenOffice sites in Canadian search results. OpenOffice, a open source office suite. It’s possible that the threat actors didn’t clone the far more popular LibreOffice since doing so would result in a speedy takedown owing to widespread reports.
The fake site’s OpenOffice installer is a Mars Stealer executable with the Babadeda crypter or the Autoit loader, infecting the users without their knowledge. The operator has exposed the victims’ ‘logs’ directory due to a flaw in the cracked version’s configuration instructions, providing any visitor complete access. A log is a compressed file including data taken by a Trojan and transferred to the C&C servers of threat actors.
Mars Stealer seems to have stolen browser auto-fill data, browser extension data, IP addresses, credit cards, country codes, and time zone data in this campaign. The sensitive information of the threat actor was also revealed because the actor compromised himself with a copy of Mars Stealer while debugging. This oversight led researchers to link the attacks to a Russian speaker and identify the threat actor’s GitLab accounts, stolen credentials used to pay for Google Ads, etc.
Mars Stealer is an increasing threat, with over 47 darknet sites and hacker forums, Telegram groups, and “unofficial” distribution routes such as the cracked pack promoting it. The operators of these info-stealers are mainly focused on cryptocurrency assets. MetaMask, Binance Wallet, Coinbase Wallet, Math wallet, and all hot wallets for managing cryptocurrency assets were the most stolen browser plugins from the investigated campaign.
To protect from data thieves, make sure you only click on legitimate sites rather than Google Ad results, and check downloaded executables with your antivirus software before running them. 3xp0rt’s analysis of the new Mars Stealer malware is recommended for individuals interested in a technical dive into the new malware variant.