Mars Stealer malware pushed via Google Ads and phishing emails

Cybercriminals trying to foist the Mars Stealer malware onto users seemingly have a penchant for one particulat tactic: disguising it as legitimate, benign software to trick users into downloading it.

Two documented Mars Stealer delivery campaings

In a recent campaign described by Morphisec malware researcher Arnold Osipov, the threat actor distributed the malware via cloned websites offering well-known software such as Apache Open Office.

The campaing has victimized students, faculty members, and content makers looking for legitimate applications, as well as various companies in Canada.

The threat actor targeted Canadians by using geographically targeted Google Ads, which pointed to the cloned website:

“The actor is paying for these Google Ads campaigns using stolen information,” Osipov noted.

In another campaign, documented by the Ukrainian CERT, a threat actor is pushing the malware via emails impersonating the Ministry of Education and Science of Ukraine, offering “a new program for writing in the magazine” to Ukrainian citizens and organizations.

“The text of the e-mail contains a message, allegedly, from the Ministry of Education and Science of Ukraine about ‘e-learning journals’, as well as a link to the ‘program’ and a password to the archive. If you open the archive and run the EXE file, the computer will be affected by malware, which, according to a set of labels (despite some differences), is classified as Mars Stealer,” CERT-UA warned.

Mars Stealer’s capabilities

Mars Stealer is relatively new malware based on the Oski Stealer. As described by a malware analyst that goes by the online handle 3xp0rt, it is capable of grabbing system information, files, and authentication credentials from popular internet browsers, 2FA and crypto extensions in Chromium-based browsers, and crypto wallets.

3xp0rt also noted the malware’s feature for avoiding infection of machines from the Commonwealth of Independent States (CIS), but CERT-UA says the function has been disabled in the variant they analyzed.

Morphisec researcher have managed to discover many particulars about that specific campaign because the threat actor apparently used a cracked version of the malware and flawed environment configuration instructions, which allowed them to take a peak “behind the curtain” by accessing the attacker’s C2 server.

Also, the threat actor compromised his own computer with the Mars Stealer while debugging, so they gleaned even more insight and information that lead them to the actor’s GitLab account and the discovery that the threat actor is a Russian speaker.

Chances are good, though, that both of these campaigns have been mounted by opportunistic, financially-motivated threat actors. After all, Mars Stealer can be bought on many underground forums, onion sites, and Telegram channels, for as little as $160.