Researchers have observed a rise in attack campaigns employing the popular Mars Stealer. Its use increased after the abrupt shutdown of the Raccoon stealer as several attackers started resorting to this as an alternative.

The new campaign

A campaign spotted by Morphisec is using Google Ads SEO techniques to rank cloned OpenOffice sites high on Canadian search results. OpenOffice is an open-source office suite that is not popular nowadays.
  • The OpenOffice installer on the fake site is a Mars Stealer .exe, packed using the Babadeda crypter or the Autoit loader.
  • A bug in the configuration instructions of the cracked version of Mars Stealer, which appears to be an honest mistake by the operators, gives anyone access to the logs directory of victims. It also means that attackers themselves were infected with the malware.
  • The log directory contains a zip file containing stolen data, on the threat actor’s C2 servers. The data includes browser credit cards, IP address, country code, and timezone, among others.

Since adversaries suffered the attack themselves, it allowed researchers to link the attacks to a Russian speaker and associated GitLab accounts.

Who are the targets?

Researchers claim that the attackers behind these info-stealers are focused on cryptocurrency assets.
  • The most stolen browser plugin is MetaMask, followed by Coinbase, Binance, and MathWallet.
  • Further, researchers discovered credentials belonging to a healthcare infrastructure provider in Canada and spotted signs of compromise on various high-profile service firms.

Ending notes

Mars Stealer is overwhelmed by an influx of new users and researchers may stumble across it more often in numerous new campaigns. Organizations are suggested to protect sensitive data with proper access management and encryption.
Cyware Publisher