A new sort of malware has emerged that can steal private keys from a variety of wallet browser extensions.
Chrome browsers are the most vulnerable
According to security researcher 3xp0rt, Mars Stealer is an upgraded variant of the Oski trojan, which initially appeared in 2019. The malware mostly affects Chromium-based browsers like Google Chrome, Microsoft Edge, and Brave.
Mars Stealer attempts to grab private keys from popular browser extension wallets such as MetaMask, Binance Chain Wallet, TronLink, and Coinbase Wallet once its payload is executed. Furthermore, some 2FA programs may have their credentials stolen. The malware deletes itself from the victim’s PC after the attack, leaving no trace.
My first blog post about #Mars #Stealer is out:https://t.co/vBWV3cGH0U
— 3xp0rt (@3xp0rtblog) February 1, 2022
The most likely source is Russian hackers
There are various hints that Mars Stealer is Russian. Before executing its payload, the malware checks to see if the victim’s language ID matches that of Russia, Belarus, Kazakhstan, Azerbaijan, or Uzbekistan and if so, it terminates. This is because Russia normally exclusively prosecutes cybercrimes against Russian people, but not cybercrimes against other nationalities that originate in Russia.
In addition, the Mars Stealer creators offer the trojan, which can be purchased for 140 USD on a dark web forum in Russian. Chainalysis warned last month that hackers are utilizing mass-copied malware types like Cryptojackers to extort money from its victims.
