A nascent information stealer called Mars has been observed in campaigns that take advantage of cracked versions of the malware to steal information stored in web browsers and cryptocurrency wallets.
“Mars Stealer is being distributed via social engineering techniques, malspam campaigns, malicious software cracks, and keygens,” Morphisec malware researcher Arnold Osipov said in a report published Tuesday.
Based on the Oski Stealer and first discovered in June 2021, Mars Stealer is said to be constantly under development and available for sale on over 47 underground forums, darknet sites, and Telegram channels, costing only $160 for a lifetime subscription.
Information stealers allow adversaries to vacuum personal information from compromised systems, including stored credentials and browser cookies, which are then sold on criminal marketplaces or used as a springboard for launching further attacks.
The release of Mars Stealer last year has also been accompanied by a steady increase in attack campaigns, some of which have involved the use of a cracked version of the malware that has been configured in such a manner that it has exposed critical assets on the internet, inadvertently leaking details about the threat actor’s infrastructure.
Notable is also a campaign that was observed last month and used to siphon passwords from students, faculty, content creators, and others who downloaded trojanized versions legitimate applications.
The cybersecurity firm also noted that they had “identified credentials that led to the complete compromise of Canada’s leading healthcare infrastructure provider and several high-profile Canadian service providers.” “
While Mars Stealer is most commonly distributed via spam email messaging containing a compressed executable, download link, or document payload, it’s also propagated via fraudulent cloned websites advertising well-known software such as OpenOffice that were then pushed through Google Ads.
The goal of this campaign is to use geographically targeted advertisements to lure potential victims looking for original software to visit a malicious website instead. This will ultimately lead to the distribution of malware.
Mars Stealer is designed to exfiltrate and harvest browser autofill information, credit card details, browser extension details (including that of crypto wallets such as Metamask and Coinbase Wallet) and system metadata.
But because the threat actor compromised their own machine with the Mars Stealer during debugging, the OPSEC mistake allowed the researchers to attribute the campaign to a Russian speaker as well as uncover details about the adversary’s use of GitLab and stolen credentials to place Google Ads.
“Infostealers offer an accessible entry point to criminal activity,” Osipov said, adding such tools “empower novice cybercriminals to build a reputation they can leverage to acquire more powerful malware from more sophisticated actors. “