What is Mars Stealer? The new crypto stealing malware

Online wallet holders and frequent downloaders beware! A new type of malware is targeting browser extension wallets like MetaMask. The price of such a nefarious piece of software on the dark web? Just 140 dollars. Let’s take a closer look at this so called ‘Mars Stealer’ and discuss certain tips on how to prevent such malicious malware targeting your wallets.

Mars Stealer

It is a HODL’ers worst nightmare to open his/her wallet and see a big fat zero on their screen. This nightmare is becoming a reality for those who have been duped by the so called Mars Stealer. Unfortunately, security still remains a weak point of browser based wallets. With the enormous increase of phising mails and scammers, it is becoming increasingly difficult to safely navigate through the online crypto sphere. The latest scam is a piece of malware called Mars Stealer and it is specifically designed to target crypto wallets that function via a browser extension. Examples of such crypto wallets are Metamask or the Binance Chain Wallet. The Mars Stealer is a continuation of the 2019 trojan malware ‘Oski’, that was designed to steal information. This new Mars Stealer addition targets the browser itself (mainly Chrome, Edge and Brave), wallet extensions, private key info and even 2FA plugins. Browsers such as Opera and Firefox are save from wallet extension hacking, but not from credential-stealing.

Mars Stealer targets these wallet extensions: TronLink, MetaMask, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaox Liberty, BitAppWllet, iWallet, Wombat, MEW CX, Guild Wallet, Saturn Wallet, Ronin Wallet, Neoline, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox Cyano Wallet, Byone, OneKey, Leaf Wallet, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite Client, ZilPay, Coin98 Wallet.

Mars Stealer targets these 2FA plugins: Authenticator, Authy, EOS Authenticator, GAuth Authenticator, Trezor Password Manager.

And what's the deal with the Mars Stealer attack? "It is particularly efficient . . .It also targets some new desktop wallets that weren't really the target before, like Bitcoin core and derivatives," says @yhql6

— Ledger (@Ledger) February 4, 2022

Watch where you click

The Mars Stealer is a malware that focuses on sensitive information. Once installed (disguised as something else), it will immediately determine your language settings. If the language is set to Uzbekistan, Russia, Azerbaijan, Belarus or Kazakhstan the malware will uninstall and leave the system. If not, it will search for folders that contain information such as wallet addresses and private keys. Once obtained, it will uninstall deleting every trace of the program. The hackers now has your private key and wallet address and you haven’t noticed anything until you open your wallet. The malicious piece of malware is currently for sale on the dark web and only costs 140 dollars, which is of course extremely low for such an impactful piece of software.

For anyone who wants to learn more about software wallet vulnerabilities, check out this article from @DonjonLedger: https://t.co/q1YTaRlqJ1

— Ledger (@Ledger) February 4, 2022

So you might be wondering right now. How can I prevent this? It seems that the malware is disguised as a different piece of software. The most common form is a piece of software in disguise. So be aware of phising mails, be aware of download websites and specifically be aware of torrent websites. Downloading torrents on the same device where you have your Metamask wallet installed? Bad idea in general. Find a .exe file in your movie? Red alert. So be aware of any link or dubious files in general and only download from legit (and legal) sources. Unfortunately, scammers and phishers are getting more innovative every year, so you and your surrounding need to be extra alert. Be on your toes and inform each other where possible.