Skip to main content

Alternate Title: Mars Stealer Malware – the latest cyber threat you need to know about

If you keep crypto in a digital wallet — watch out. An old crypto hack is making the rounds again under a new name and with a few new tricks. If you’ve been investing in crypto for a while, you may be familiar with the Oski Trojan from 2019. This trojan attacked browser-based wallets, stealing crypto when successful and causing a cryptocurrency crash for many.

The new and improved, upgraded version, known as Mars Stealer, aims to do the same thing and is even more adept at doing so than its predecessor. Currently, it is known to successfully navigate past the security features in more than 40 different browser-based plug-ins and wallets, even when two-factor authentication (2FA) is used. 2FA is usually an exceptionally strong deterrent to hackers, so this makes Mars Stealer a particularly dangerous cyberthreat.

What is Mars Stealer?

Browser-based wallets are, unfortunately, not known for exceptional security features. Cybercriminals and hackers try many tactics to infiltrate digital wallets and steal your crypto, with varying degrees of success. Quite often, so long as you follow additional cybersecurity protocols, you can keep most cyberattacks at bay and keep your crypto safe. But not so with Mars Stealer, a highly efficient piece of malware that anyone can purchase on the Dark Web for less than $200.

Once purchased by a hacker, it is simply a matter of placing it somewhere where a cryptocurrency holder is likely to download it accidentally. Or the hacker can send it via email, using phishing attacks to trick the recipient into clicking on a link that will secretly download it. Even visiting a web page containing Mars Stealer code can be dangerous, as the malware is designed to attack actual browser extensions.


How does Mars Stealer work?

Mars Stealer will primarily infect users’ browsers and systems via free file-hosting websites, downloads from torrent clients and peer-to-peer sharing networks, and other third-party sites containing downloads. Like most malware and trojans, Mars Stealer is typically disguised as another piece of software that users are likely to download.

When Mars Stealer is downloaded, it quickly runs a script to determine the language setting on your device. The malware will actually avoid infecting any users determined to be from the Commonwealth of Independent States — Kazakhstan, Russia, Uzbekistan, Belarus, and Azerbaijan — and subsequently, uninstall itself.

Otherwise, Mars Stealer can cause a host of problems for an infected individual. The malware, using special techniques, will collect memory data from crypto browser wallet extensions, browser extensions, plug-ins, and even 2FA extensions, allowing it to bypass the security functions and infiltrate crypto wallets. Information stolen could include wallet addresses, private security keys, and more. Once it obtains this information, it uninstalls itself, leaving no traces. However, the hacker now has everything they need to empty your crypto wallet without you even noticing until you check it.

The problems resulting from a Mars Stealer infection include financial loss, a loss of privacy, and possibly identity theft.

What plug-ins and extensions does Mars Stealer target?

The list of targeted extensions, plug-ins, and browser wallets is quite long and possibly still growing. If your browser contains any of these extensions, wallets, and plug-ins, you’ll need to take measures to protect yourself from a cryptocurrency crash.

Browser extensions:

Internet Explorer, Microsoft Edge, Kometa, Amigo, Torch, Orbitium, Comodo Dragon, Nichrome, Maxxthon5, Maxxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Brave, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, CyberFox, BlackHawk, IceCat, K-Meleon, Thunderbird

Crypto extensions:

TronLink, MetaMask, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaox Liberty, BitAppWllet, iWallet, Wombat, MEW CX, Guild Wallet, Saturn Wallet, Ronin Wallet, Neoline, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox Cyano Wallet, Byone, OneKey, Leaf Wallet, DAppPlay, BitClip, Steem Keychain, Nash Extension

Crypto wallets:

Bitcoin Core, Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, Binance, Coinomi

2FA plug-ins:

Authenticator, Authy, EOS Authenticator, GAuth Authenticator, Trezor Password Manager

How to protect yourself from Mars Stealer

Despite the fact that Mars Stealer can bypass many security features, there are still things you can do to protect yourself and your crypto from this malware. For starters, try to be as vigilant as possible when clicking on links or downloading files. Consider all links or downloads in emails as a potential threat if you aren’t 100% sure of the source. Phishing emails, in particular, have gotten incredibly sophisticated, so check twice to ensure any email is from a trusted source. Check link extensions as well. For example, a .exe extension is not the standard extension for a movie or music file.

Try to avoid using torrent websites and file sharing sites as well, since these are a prime means of distributing the Mars Stealer trojan. If you must download files from third-party sites, try to do so on a separate device from the device where your crypto browser wallets are installed.

Recommended products

Kaspersky can protect you from all major threats, including malware, spyware, and trojans. The Total Security suite provides bank-grade protection, significantly reducing the risk of your crypto browser wallets being infiltrated by hackers. Learn more about how Kaspersky can help you stay five steps ahead of cybercriminals and keep your data and finances safe.

Further reading

Everything you need to know about Mars Stealer

Read more about Mars Stealer - a new trojan that can steal your crypto and cause a cryptocurrency crash
Kaspersky Logo