Marsnew infostealer is being distributed via OpenOffice ads on Google

The new Mars infostealer is still gaining popularity in the hacker community, and analysts are already marking the first large-scale campaigns using it.

Mars is a redesigned version of the Oski มัลแวร์, which was discontinued in 2020. The malware is highly capable of stealing information and attacks a very wide range of applications, including popular browsers, two-factor authentication plugins, as well as many extensions and wallets for working with cryptocurrencies.

Mars also collects and sends to its operators the following information about the victim’s system:

  1. IP address and country;
  2. path to EXE file;
  3. local time and time zone;
  4. system language;
  5. language keyboard layout;
  6. laptop or desktop;
  7. processor model;
  8. computer name;
  9. username;
  10. computer name in the domain;
  11. machine identifier;
  12. GUID;
  13. installed programs and their versions.

New infostealer Mars
Mars Admin

Advertised on many hacking forums for between $140 และ $160 for a lifetime license, Mars has grown rather slowly until recently, but it looks like the recent shutdown of Raccoon Stealer has forced hackers to look for alternatives and take a look at Mars. It got to the point that the authors of the malware wrote that they could barely cope with the influx of new customers.

New infostealer Mars

Most often, this malware is distributed through spam emails containing an executable file in an archive, a download link, or a malicious document. อย่างไรก็ตาม, sometimes Mars is also distributed through fraudulent sites. One of these campaigns, which is definitely getting bigger after the influx of customers, was discovered by experts at Morphisec. According to them, the malware uses Google Ads to bring clone sites of the open source OpenOffice to the top positions in search results in Canada.

The OpenOffice installer on such a fake site is a Mars executable packaged with the Babadeda cryptor or the Autoit bootloader.

น่าสนใจ, shortly after the release of Mars, a hacked version of the malware with instructions appeared, which has serious flaws. In particular, it prescribes to set up full access (777) to the entire project, including the directory with the logs of the victims.

The logs are a ZIP file containing data stolen by the malware from users and uploaded to the C&เซิร์ฟเวอร์ซี. The inaccuracy in the instructions has led to the fact that attackers misconfigure their environment, revealing important information to the whole world.

The researchers found that, as part of the campaign mentioned above, the stolen information included browser autofill data, browser extension data, bank card information, IP address, country code and time zone.

New infostealer Mars

Since the malware operator who followed the instructions infected himself with a copy of Mars (apparently during debugging), his personal data was also disclosed. This miscalculation allowed Morphisec experts to link the attacks to the Russian-speaking user, finding his GitLab accounts, stolen credentials used to pay for Google Ads, and more.

The Morphisec Labs team reports that in total they were able to identify more than 50 infected domain users who compromised their companiesdomain passwords. The vast majority of victims are students, educators and content creators who were looking for legitimate apps but got malware instead.

Morphisec was also able to isolate credentials that led to the complete compromise of an unnamed infrastructure solutions provider from Canada and a number of well-known Canadian service companies. Experts have already contacted the victims and notified the authorities about the incident.

ฉันขอเตือนคุณว่าเรายังได้พูดคุยเกี่ยวกับความจริงที่ว่า มัลแวร์ขโมยรหัสผ่านติดเชื้อมากกว่า 100,000 ผู้ใช้ผ่านทาง Google Play Store, และนั่นด้วย SharkBot Android Trojan Steals Cryptocurrency and Hacks Bank Accounts.

เฮลก้า สมิธ

ฉันสนใจวิทยาการคอมพิวเตอร์มาโดยตลอด, โดยเฉพาะความปลอดภัยของข้อมูลและธีม, ซึ่งเรียกกันในปัจจุบันว่า "วิทยาศาสตร์ข้อมูล", ตั้งแต่วัยรุ่นตอนต้นของฉัน. ก่อนจะมาอยู่ในทีมกำจัดไวรัสในตำแหน่งหัวหน้าบรรณาธิการ, ฉันทำงานเป็นผู้เชี่ยวชาญด้านความปลอดภัยทางไซเบอร์ในหลายบริษัท, รวมถึงหนึ่งในผู้รับเหมาของ Amazon. ประสบการณ์อื่น: ฉันได้สอนในมหาวิทยาลัยอาร์เดนและรีดดิ้ง.

ทิ้งคำตอบไว้

เว็บไซต์นี้ใช้ Akismet เพื่อลดสแปม. เรียนรู้วิธีประมวลผลข้อมูลความคิดเห็นของคุณ.

ปุ่มกลับไปด้านบน