Attack efforts using the famous Mars Stealer have been on the rise, according to researchers. Its popularity grew after the Raccoon Stealer was taken down abruptly, as some attackers turned to it as an alternative.
The new advertising campaign
Morphisec discovered a scheme that uses Google Ads SEO tactics to boost the rankings of duplicated OpenOffice sites in Canadian search results. OpenOffice is an open-source office suite that has fallen out of favour in recent years.
The bogus site’s OpenOffice installer is a Mars Stealer.exe that was packaged with the Babadeda crypter or the Autoit loader.
Anyone has access to the logs directory of victims thanks to a fault in the configuration instructions of the cracked version of Mars Stealer, which appears to be an honest error by the operators. It also implies that the virus was spread by the attackers.
On the threat actor’s C2 servers, the log directory contains a zip file containing stolen data. Browser credit cards, IP addresses, country codes, and timezones are among the data.
So the attackers were victims of the attack, analysts were able to correlate the attacks to a Russian speaker and linked GitLab accounts.
Who are the intended victims?
The criminals behind these data thieves, according to researchers, are targeting bitcoin assets.
MetaMask is the most commonly stolen browser plugin, followed by Coinbase, Binance, and MathWallet.
Researchers also identified credentials belonging to a Canadian healthcare infrastructure provider, as well as indicators of breach on a number of high-profile service companies.
Notes at the end
An inflow of new users has overburdened Mars Stealer, and researchers may come across it more frequently in a variety of different efforts. It is recommended that organisations use adequate access management and encryption to secure sensitive data.