Bad OPSEC allowed researchers to uncover Mars stealer operationSecurity Affairs

The Morphisec Labs researchers analyzed a new malware, tracked as Mars stealer, which is based on the older Oski Stealer.

Morphisec Labs recently discovered the Mars stealer that was spreading masqueraded as malicious software cracks and keygens.

The Mars stealer is available for sale on several underground forums, researchers pointed out that it is under constant development. The malicious code was offered only $ 160 for a lifetime subscription.

The malicious code allows stealing user credentials stored in various browsers, as well as many different cryptocurrency wallets. Researchers discovered that threat actors released a cracked version of the Mars Stealer along with a guide that tricked its users into improperly configuring it allowing them to access their data. Stolen data are then offered for sale on cybercrime marketplaces.

Not long after the Mars Stealer’s release, a cracked version was released with an instruction document. This guide has some flaws. One flaw instructs users to set up full access (777) to the whole project, including the victims’ logs directory. ” reads the analysis published by Morphisec.

“Whoever released the cracked Mars Stealer without official support has led threat actors to improperly configure their environment, exposing critical assets to the world.”

The malware is based on the Oski Stealer and it was first spotted in June 2021.

The malware targets multiple cryptocurrency wallets, the most stolen plugin using Mars Stealer is the crypto wallet MetaMask, followed by Coinbase.

Most of the victims are students, faculty members, and content makers looking for legitimate applications who end up with tainted ones instead.

Threat actors used Google Ads to trick victims searching for the original software into visiting a malicious site instead. They used stolen information to pay advertising campaigns.

The researchers discovered that threat actors compromised their own system with the Mars Stealer while debugging. Researchers were able to analyze the operation by looking at attackers own stolen information, including screenshots, passwords, history, system information, etc.

The information revealed by the bad OPSEC, allowed Morphisec to analyze the Mars stealer to a Russian national.

“We can safely attribute this actor as a Russian national by looking at the screenshots and keyboard details from the extracted system.txt. ” concludes the report that includes Indicators of Compromise.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, Mars infostealer)












Source

The Morphisec Labs researchers analyzed a new malware, tracked as Mars stealer, which is based on the older Oski Stealer.

Morphisec Labs recently discovered the Mars stealer that was spreading masqueraded as malicious software cracks and keygens.

The Mars stealer is available for sale on several underground forums, researchers pointed out that it is under constant development. The malicious code was offered only $ 160 for a lifetime subscription.

The malicious code allows stealing user credentials stored in various browsers, as well as many different cryptocurrency wallets. Researchers discovered that threat actors released a cracked version of the Mars Stealer along with a guide that tricked its users into improperly configuring it allowing them to access their data. Stolen data are then offered for sale on cybercrime marketplaces.

Not long after the Mars Stealer’s release, a cracked version was released with an instruction document. This guide has some flaws. One flaw instructs users to set up full access (777) to the whole project, including the victims’ logs directory. ” reads the analysis published by Morphisec.

“Whoever released the cracked Mars Stealer without official support has led threat actors to improperly configure their environment, exposing critical assets to the world.”

The malware is based on the Oski Stealer and it was first spotted in June 2021.

The malware targets multiple cryptocurrency wallets, the most stolen plugin using Mars Stealer is the crypto wallet MetaMask, followed by Coinbase.

Most of the victims are students, faculty members, and content makers looking for legitimate applications who end up with tainted ones instead.

Threat actors used Google Ads to trick victims searching for the original software into visiting a malicious site instead. They used stolen information to pay advertising campaigns.

The researchers discovered that threat actors compromised their own system with the Mars Stealer while debugging. Researchers were able to analyze the operation by looking at attackers own stolen information, including screenshots, passwords, history, system information, etc.

The information revealed by the bad OPSEC, allowed Morphisec to analyze the Mars stealer to a Russian national.

“We can safely attribute this actor as a Russian national by looking at the screenshots and keyboard details from the extracted system.txt. ” concludes the report that includes Indicators of Compromise.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, Mars infostealer)












Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

YouAttest collaborates with JumpCloud to give users access reviews for identity governance

YouAttest announced their product integration with JumpCloud - an open directory platform that gives IT, security...

SLACIP: How to Comply with the SOCI ACT Reforms

On March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament. ...

Microsoft patches the Patch Tuesday patch that broke authentication – Naked Security

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931which affected the safety of authentication in Windows. Even...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!