A new type of malware has appeared that is able to extract private keys from a multitude of wallet browser extensions.
— 3xp0rt (@3xp0rtblog) February 1, 2022
Chromium browsers most at risk
According to security researcher 3xp0rt, Mars Stealer is an improved version of the Oski trojan, which first appeared in 2019. The malware mainly targets Chromium-based browsers, such as Google Chrome, Microsoft Edge, and Brave.
Once its payload executes, Mars Stealer attempts to extract private keys from popular browser extension wallets, including MetaMask, Binance Chain Wallet, TronLink, and Coinbase Wallet. Additionally, some 2FA applications are at risk of getting their credentials stolen. Following the attack, the malware removes itself from the victim’s computer without leaving a trace behind.
Russian hackers are the most likely source
There are several hints that Mars Stealer originates from Russia. Before executing its payload, the malware checks whether the victim’s language ID matches with that of Russia, Belarus, Kazakhstan, Azerbaijan, or Uzbekistan, and terminates if a match is found. This is due to the fact that Russia generally only prosecutes cybercrimes against Russian citizens, but not cybercrimes originating in Russia targeting other nationalities.
Also, the developers of Mars Stealer advertise the trojan, which can be bought for the price of 140 USD, in Russian language on a dark web forum. Last month, Chainalysis warned that hackers are using mass-copied malware types such as Cryptojackers to extort money from their victims.