New stealer that steals data from crypto wallets and 2FA plugins

[lovesmayfamilis]

Russian hacker forums and social media have reported a malware called Mars Stealer that can steal your cryptocurrency. As they say in the news, the new stealer is an improved version of another malware called. Oski Stealer.

https://www.bleepingcomputer.com/news/security/powerful-new-oski-variant-mars-stealer-grabbing-2fas-and-crypto/

Mars Stealer uses a custom grabber that retrieves its configuration from the C2 and then proceeds to target the following applications:

Internet apps: Google Chrome, Internet Explorer, Microsoft Edge (Chromium Version), Kometa, Amigo, Torch, Orbitium, Comodo Dragon, Nichrome, Maxxthon5, Maxxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Brave, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, CyberFox, BlackHawk, IceCat, K-Meleon, Thunderbird.

2FA apps: Authenticator, Authy, EOS Authenticator, GAuth Authenticator, Trezor Password Manager.

Crypto extensions: TronLink, MetaMask, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaox Liberty, BitAppWllet, iWallet, Wombat, MEW CX, Guild Wallet, Saturn Wallet, Ronin Wallet, Neoline, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox Cyano Wallet, Byone, OneKey, Leaf Wallet, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite Client, ZilPay, Coin98 Wallet.

Crypto wallets: Bitcoin Core and all derivatives (Dogecoin, Zcash, DashCore, LiteCoin, etc), Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, Binance, Coinomi.

Again, the security rules include limiting the use of various kinds of cracks, the use of torrent servers, the opening of unwanted emails containing archives. And of course, regularly updating your existing system and antivirus software.

[1714965254]

1714965254

[1714965254]

1714965254

[bitmover]

I think people overestimate 2FA security.

Funds in exchanges are always at risky, using 2FA is good but it is not 100%.

For wallets such as coinomi, electrum, etc, 2FA is basically useless because the private key is all that you need to access your funds.

Nothing is better than keeping the private keys of your wallet in a piece of paper, in an offline environment.

[Lucius]

I think people overestimate 2FA security.
Funds in exchanges are always at risky, using 2FA is good but it is not 100%

There is a risk for anyone who does not have complete control over their private keys, but I agree that 2FA may give some the impression that their funds are more secure when it comes to online wallets. It is a well-known fact that hackers target accounts that hold large amounts, and when they manage to get hold of passwords, all they need to do is make a SIM swap and hack the account.

For wallets such as coinomi, electrum, etc, 2FA is basically useless because the private key is all that you need to access your funds.

I would not agree that it is completely useless because in some cases it can prevent a hacker from hacking a wallet. TrustedCoin is a service available through Electrum and it is impossible to make a transaction without being confirmed by their server - so even though it is a paid option, I believe it has saved many users from being hacked.

Nothing is better than keeping the private keys of your wallet in a piece of paper, in an offline environment.

Of course, for long-term storage, a properly made paper wallet is certainly a very good option, but the problem is all those hot wallets that exist and are vulnerable to various attacks.

[Charles-Tim]

I think people overestimate 2FA security.

Yes, that is why some people will have 2FA app on the device they use for wallet, exchange ect. The best is to have 2FA app on another device different from the one used to access wallets and exchanges.

For wallets such as coinomi, electrum, etc, 2FA is basically useless because the private key is all that you need to access your funds.

I have noticed custodial wallets and exchanges are the ones having 2FA, most noncustododial wallet do not have it. Although, Electrum supports 2FA.

but I agree that 2FA may give some the impression that their funds are more secure when it comes to online wallets. It is a well-known fact that hackers target accounts that hold large amounts, and when they manage to get hold of passwords, all they need to do is make a SIM swap and hack the account.

Never mind this, 2FA are not the same as sim authentication, I will like correction if I am wrong. 2FA like hardware authenticators and apps like Aegis and andOTP, never mind me I did not mention Authy, Google and Windows authenticator because I can not recommend them. 2FA is misused by many people, people should not also 100% rely on it, it can be a hardware but if app, it should be on another device. Sim authentication is the worst among the means of authentication.

[Husires]

How can this stolen data affect the protection of users? They are privacy statements rather than security holes.
Moreover, Mars Stealer will capture and send the following basic information to the C2:

IP and country
Working path to EXE file
Local time and time zone
Language system
Language keyboard layout
Notebook or desktop
Processor model
Computer name
User name
Domain computer name
Machine ID
GUID
Installed software and their versions

quote source https://www.bleepingcomputer.com/news/security/powerful-new-oski-variant-mars-stealer-grabbing-2fas-and-crypto/

It targets the user's personal activity such as politicians, social attacks, people tracking and other data.
Data is important to marketers as well, but promoting it as Russian or automatically shutting down when it finds a Russian ID means nothing.

[jerry0]

So if you have basic windows defender and malwarebytes on laptop... its completely useless against it?


What about paid antivirus like kaspersky or norton?

[WellRozey]

I think people overestimate 2FA security.

Funds in exchanges are always at risky, using 2FA is good but it is not 100%.

For wallets such as coinomi, electrum, etc, 2FA is basically useless because the private key is all that you need to access your funds.

Nothing is better than keeping the private keys of your wallet in a piece of paper, in an offline environment.

Not just coinomi and electrum wallet, every single wallets that have it's 2FA security activated only guide the device that's been activated on, if your private key leaks somehow your funds can be moved out successfully.

[Lucius]

So if you have basic windows defender and malwarebytes on laptop... its completely useless against it?

I can't say exactly what would happen if an attempt occurred to infect your computer, but if the security software you have on your computer has antivirus definitions of a specific threat in its database, then your computer should be protected. As described in the OP, the first line of defense is to watch what you do online, which means that you refrain from downloading risky content and clicking on links from e-mail or social networks.

What about paid antivirus like kaspersky or norton?

For me personally, paid security solutions are a better choice - and if you choose Norton you won't regret it - it protects me for years, and for now I can't complain.

[Porfirii]

Nothing is better than keeping the private keys of your wallet in a piece of paper, in an offline environment.

As this is "Beginners & Help" I will repeat this idea from bitmover (repetition is great as rhetoric).

In the Spanish board we are talking about the planned obsolescence of hardware wallets and using them as a safe for a long time, and one idea in the thread is that the piece of paper is the really valuable thing.

So kids, think about using more pen and paper.

[lovesmayfamilis]

So if you have basic windows defender and malwarebytes on laptop... its completely useless against it?


What about paid antivirus like kaspersky or norton?

How to remove Mars stealer-type malware from the operating system?

I found an article on removing this stealer. If you doubt the presence of this virus on your computer, read the tips that are recommended for cleaning your computer.
But since I myself do not use the Windows system, I cannot write a full review about this antivirus. Read all the features of the program, and of course act at your own peril and risk.
Developer Tomas Meskauskas - expert security researcher, professional malware analyst.

[dkbit98]

I am not sure if this malware is affecting Linux OS, but instead of going with all that mambo jumbo in Windows and be scared of next new malware thing, you could simply switch to Linux.
If you need to use wNd0ws for some games etc than just use it for that purpose only on separate machine, or without internet connection.
Looking at the link posted by lovesmayfamilis it looks like Mars stealer is build.exe file that you have to click and install, so I would be careful opening anything from emails, sms or in telegram.

[Welsh]

I am not sure if this malware is affecting Linux OS, but instead of going with all that mambo jumbo in Windows and be scared of next new malware thing, you could simply switch to Linux.
If you need to use wNd0ws for some games etc than just use it for that purpose only on separate machine, or without internet connection.
Looking at the link posted by lovesmayfamilis it looks like Mars stealer is build.exe file that you have to click and install, so I would be careful opening anything from emails, sms or in telegram.

Windows isn't something so inseucre that simply connecting to the internet compromises you. I mean, technically any machine connected to the internet or using Wifi private or not could be compromised, but for a gaming machine, personally the threat level is rather low.

Instead, the better advice is to just move your Bitcoin to a offline machine, and then use a hardware wallet for sending funds. That's probably the best approach to the situation. This particular software requires you to execute it anyway, so unless you're downloading dodgy stuff, you aren't likely to be effected.