Mars Stealer malware is growing in popularity. The first large-scale campaigns employing this malware are just beginning to take shape. But high-profile firms have already observed its impact…

Mars Stealer malware’s hidden dangers

Mars Stealer can quietly obtain a large quantity of data all at once. This data includes file download histories, internet cookies, IP addresses, and stored passwords from common browsers, among other information. The malware not only exfiltrates data, but it can also infiltrate systems with malware, injecting ransomware, trojans or crypto-miners onto devices.

Because Mars Stealer is a “light weight” malware program, there are no obvious signs of Mars Stealer malware compromise (ex. decrease in computing response time, system crashes…etc).

Mars Stealer malware evolution

Mars Stealer initially appeared as a redesign of the Oski malware, the development of which halted in 2020. Oski featured extensive information stealing capabilities and targeted a wide variety of apps.

No one made much of the Mars Stealer malware until recently, when the sudden shut down of Raccoon Stealer prompted cyber criminals to explore alternatives. Shortly thereafter, Mars Stealer saw an immediate influx of new users. It sells for $140-$160 in online marketplaces.

The service operates in a way that’s comparable to how Raccoon previously ran, leading experts to believe that it may function as a conduit for a variety of pre-planned, upcoming, never-before-executed cyber attack campaigns.

Mars Stealer campaign types

Researchers have observed several of these new campaigns, including one that leverages a cracked version of the malware, circulating with instructions pertaining to how to use it.

Another campaign uses Google Ads advertising to artificially inflate the rankings of cloned OpenOffice sites within Google’s Canadian search results. The fake sites’ OpenOffice installer is actually a Mars Stealer executable that infects users’ devices.

Image of fake OpenOffice advertisement on Google. Image courtesy of Morphisec.

What is OpenOffice?

OpenOffice represents a once-popular open source office suite. It functions similarly to Word. Via OpenOffice, users can open and modify Word documents without paying for Microsoft’s software. The OpenOffice platform now belongs to the Apache foundation..

Experts speculate that hackers may have skipped cloning the better-known LibreOffice, as doing so might have resulted in a swift takedown due to numerous user reports.

A threat to cryptocurrency assets

Promoted on more than 47 darknet sites, on Telegram channels and on hacking forums, Mars Stealer represents a rising threat. Researchers note that the operators of these info stealers direct their attention towards cryptocurrency assets.

To provide a sense of the potential harm that Mars can cause, the info stealer can obtain private data from cryptocurrency browser extensions/plug-ins, which can be used to disrupt crypto owners’ operations. Cryptocurrency wallets are also targeted by this malware.

High-profile Mars Stealer attacks

Experts have observed compromise in relation to a Canadian health infrastructure provider, and have seen signs of compromise in relation to several high-profile Canadian service firms.

For individuals or enterprises that have browser language settings adjusted to Uzbekistan, Russia, Azerbaijan, Belarus or Kazakhstan, the malware will uninstall itself and remove itself from the system, implying that it may have been designed to serve political or quasi-political objectives.

Protecting against Info Stealers

Mars Stealer can cause multiple system infections, along with data and privacy losses, which can lead to financial repercussions and identity theft.

In the business setting, guard against Mars Stealer by helping employees ensure that they click on official websites, avoiding Google Ad results. In addition, employees should always scan downloaded executables ahead of launching them.

For more malware insights, please see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.