Mars Stealer was created on top of the older, abandoned Oski Stealer codebase.

Key Takeaways

Mars Stealer is an improved copy of its predecessor, the Oski Stealer.
The malware uses special techniques to collect information from the memory of crypto browser extensions, wallets and 2FAs.
Credential theft malware continues to be one of the most prevalent types of malware used in cyberattacks.

Share this article

An improved copy of the Oski Stealer malware (first introduced in November 2019) known as “Mars Stealer” has appeared in the wild and is capable of stealing crypto from popular browser extensions.

A Lightweight, Malicious Program

Mars Stealer is a lightweight malicious program of just 95KB in size, but the security issue it represents is no small thing.

Mars Stealer uses a custom grabber to retrieve its configuration from the command and control infrastructure and then proceeds to target application data from popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets. 

The Trojan malware began circulating on Russian-speaking hacking forums in the summer of 2021 and is able to infect systems through dubious download channels (e.g., unofficial and free file-hosting websites, peer-to-peer sharing networks such as torrent clients, and other third-party downloaders).

Amongst the most popular list of cryptocurrency browser plug-ins Mars Stealer is capable of exploiting are MetaMask, Binance Chain Wallet, Nifty Wallet, Coinbase Wallet and Guarda. It is also capable of exploiting Bitcoin Core, Electrum, Exodus, Atomic, Binance, Coinomi.

Two-factor authentication applications such as Authy and GAuth Authenticator, as well as web browsers such as Brave, Opera, and Firefox, are also susceptible to being targeted by the Mars Stealer.

One particularly interesting feature of this malicious software is that it checks if a user is based in a country that is historically part of the Commonwealth of Independent States. If the device’s language ID matches Russia, Belarus, Kazakhstan, Azerbaijan, Uzbekistan, and Kazakhstan, the program will exit without performing any malicious behavior.

In summary, this form of malware can cause multiple headaches to its victims, including system infections, privacy issues, financial losses, and identity theft. A detailed technical analysis of the malware can be read in this publication by researcher @3xp0rt.

Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies. 

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.

Recommended News

Read More