Mars Stealer: Malware that steals wallets MetaMask, Ronin, etc
May 11, 2022. No. 241
I've been doing some research these days on some hacking methods that hackers could use to break into my metamask and steal $400 USDT from my account. @Pantera told me the other days that Metamask by itself could not be broken, it always depended on a bad action by the user and that he ended up “fishing” for a virus on the internet.
We all know that security is not the strong point of wallets that are installed as plugins in web browsers to store cryptocurrencies. However, a new malware further complicates the security of online wallets by directly targeting cryptocurrency wallets that function as browser extensions. Called Mars Stealer, this malware is an update to the 2019 information-stealing Oski Trojan, according to security researcher 3xp0rt. It targets more than 40 browser-based cryptocurrency wallets, along with popular two-factor authentication (2FA) extensions, with a grab feature that steals users' private keys.
MetaMask, Coinbase Wallet, Binance Chain Wallet, Nifty Wallet, MEW CX, Ronin Wallet, and TronLink are some of the wallets targeted.
This specific malware can attack Chromium-based browser extensions, except for Opera. Unfortunately, this means that some of the most common browsers like Internet Explorer, Microsoft Edge, Orbitium, CryptoTab, Firefox, CyberFox, Thunderbird, Brave y Opera Stable, Opera GX y Opera Neon, Google Chrome, and Microsoft Edge, among others, can be infected because they are compatible with Chrome V80. Additionally, while safe from extension-specific attacks, Firefox and Opera are also vulnerable to credential hijacking. In other words: There is no way to escape.
According to the research carried out by 3xp0rt, the malware can steal cryptocurrencies from around 40 digital wallet extensions, which are shown in the following table:
Mars Stealer malware spreads through different means using different techniques such as hosting and downloading websites mainly crack files for a different software, Torrent clients, and any other suspicious downloads other than the official ones on official application websites. . After infecting a system, the first thing the malware does is check the language of the device. If it matches the language ID of Kazakhstan, Uzbekistan, Azerbaijan, Belarus, or Russia, the software leaves the system without performing any malicious action, otherwise, then it penetrates the system and infects you. The malware targets a file that contains critical and sensitive information, such as cryptocurrency wallet address information and private keys. Afterward, it leaves the system erasing any presence once the robbery is complete. A silent and infallible technique.
Now comes the main thing that makes this malware so widely used today, and that is that criminals are selling Mars Stealer for just $140 USD on Dark Web forums, which means that the barrier to the Trojan is relatively low for malicious actors. and those who start in the criminal world or as a hacker.
It is essential that users understand that they must protect their funds and this is done by avoiding clicking on ads or sites that may be dubious. Also, keep your web browsers up to date and your computer in the same state. At the moment, this malware only affects the Windows operating system. Windows' own antivirus: Windows Defender, is one of the best antiviruses today, detecting even 99% of existing viruses, according to the different tests that have been carried out on it. Also, have the operating system 100% updated with the latest security patches.
But it is of little use when the virus is introduced into the PC through one of the dissimilar possible ways. Being connected to the internet is having a 99.9% chance that someone at some point is watching everything you do. No system is 100% foolproof or secure.
These days I read this news: “An Apple user loses $650,000 in seconds due to a Metamask hack. They deployed a sophisticated phishing technique to access the victim's account." What is my $400 USD against the $650k USD lost in less than a few minutes by that user? Absolutely nothing. In this case, the hacker stole all the cryptos and NFTs that this user had in Metamask. Through different phishing techniques, they managed to access the user's iCloud account. But we all know that in order to enter Metamask you need the 12 words, which were completely offline.
However, the security expert with the moniker Serpent said that iCloud automatically stores the person's wallet phrase file if the Metamask wallet is used on an iPhone. In this way, if the attacker manages to get into your iCloud account, they automatically have access to the phrase and therefore to Metamask and all your funds. Metamask has already made public how to disable this backup.
For all of the above, a cold wallet or hardware wallet is recommended. This hardware device stores cryptocurrencies completely offline without internet access, keeping it away from any attacks that may occur online.
Metamask is extremely popular today. Generally, when we hear stories of someone who has lost all their funds in it, it is painful and we put ourselves in the shoes of those people. On many occasions, there is no idea how such an event could have occurred. The most advisable thing is to have 2 computers or 2 telephones. In this way, leisure or even work is independent of the world of cryptocurrencies.
On the pc or cell phone where you store or manage cryptocurrencies, you should not install or do anything more than that specifically. So in this way you avoid any type of attack or loss of your money. But this is something extremely complex and that goes through the economic issue. Miraculously we already have a cell phone, imagine having two, at least in my case.
Stay safe.
Thank you for sharing your thorough research. I thought that Apple devices would be safe... Seemingly nobody and nothing is. I've also read that hardware wallets are best for amounts of money that you don't want to risk losing.
Also, an adblock and scriptblocker (e.g., uMatrix) are pretty much a must nowadays. Of course, their main point is to prevent trackers from gathering information about you but still. And another thing coming to my mind are virtual machines. One can keep casual browsing from important websites essentially on two "computers". And virustotal.com for suspicious downloads.