Mars Stealer’s Cryptomining Attack Campaign Targets OpenOffice



Attack efforts using the famous Mars Stealer have been on the rise, according to researchers. Its popularity grew after the Raccoon Stealer was taken down abruptly, as some attackers turned to it as an alternative.

The new advertising campaign

Morphisec discovered a scheme that uses Google Ads SEO tactics to boost the rankings of duplicated OpenOffice sites in Canadian search results. OpenOffice is an open-source office suite that has fallen out of favour in recent years.

The bogus site’s OpenOffice installer is a Mars Stealer.exe that was packaged with the Babadeda crypter or the Autoit loader.

Anyone has access to the logs directory of victims thanks to a fault in the configuration instructions of the cracked version of Mars Stealer, which appears to be an honest error by the operators. It also implies that the virus was spread by the attackers.

On the threat actor’s C2 servers, the log directory contains a zip file containing stolen data. Browser credit cards, IP addresses, country codes, and timezones are among the data.

So the attackers were victims of the attack, analysts were able to correlate the attacks to a Russian speaker and linked GitLab accounts.

Who are the intended victims?

The criminals behind these data thieves, according to researchers, are targeting bitcoin assets.

MetaMask is the most commonly stolen browser plugin, followed by Coinbase, Binance, and MathWallet.

Researchers also identified credentials belonging to a Canadian healthcare infrastructure provider, as well as indicators of breach on a number of high-profile service companies.

Notes at the end

An inflow of new users has overburdened Mars Stealer, and researchers may come across it more frequently in a variety of different efforts. It is recommended that organisations use adequate access management and encryption to secure sensitive data.


IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.

This site is under maintenance,
some features might not work!!!