A new type of malware is compromising Metamask and at least 40 other different software crypto wallets.
First analyzed by malware expert 3xp0rt, “Mars Stealer” appears to be an enhanced version of the Oski Stealer malware which surfaced in late 2019. Just 95kb in size, the malware is an information-stealing program that can steal data from any web browser, including popular crypto wallet extensions, before disappearing from the victim’s device.
It also has the ability to grab two-factor authentication (2fa) codes, which many crypto holders rely heavily on to protect their bags.
According to a report from BleepingComputer, Mars Stealer can “exfiltrate files from the infected system and relies on its own loader and wiper, which minimizes the infection footprint.”
So far, the malware is known to be a threat to Google Chrome, Brave Browser, Internet Explorer, Microsoft Edge, and at least 30 other internet browsers and applications. It is also known to circumvent Google Authenticator, Authy, Trezor Password Manager and multiple other 2FA apps.
TronLink, MetaMask, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaxx Liberty, and many other crypto extensions are vulnerable to Mars Stealer and crypto wallets like Bitcoin Core, Exodus, Binance and Coinomi are all susceptible to hacks in addition.
Mars Stealer is currently available for $140 on Russian-speaking dark markets, making the barrier to entry relatively low.
According to 3xp0rt, the malware also allows attackers to retrieve the following information:
- IP and country
- Working path to EXE file
- Local time and time zone
- Language system
- Language keyboard layout
- Notebook or desktop
- Processor model
- Computer name
- User name
- Domain computer name
- Machine ID
- Installed software and their versions
“Mars Stealer it’s an improved version of Oski Stealer. Have been added anti-debug check, crypto extensions stealing, but outlook stealing is missing. The code has been refactoring, but some algorithms remained stupid as in Oski Stealer. Here you can read detailed Oski Stealer analysis from CyberArk.”