Mars Stealer malware pushed through OpenOffice ads on Google


A newly launched information-stealing malware variant called Mars Stealer is gaining popularity and threat analysts are now seeing the first notable large-scale campaigns using it.

Mars Stealer originated as a redesign of the Oski malware that halted development in 2020, with expanded information-stealing capabilities targeting a broad spectrum of apps.

Promoted on hacking forums at affordable prices in the $140-$160 range, Mars Stealer grew slowly until recently, when the abrupt shutdown of Raccoon Stealer forced cybercriminals to look for alternatives.

Mars Stealer has been overwhelmed with an influx of new users, as the service works the same way Raccoon used to, so it’s about to become the springboard for plenty of new campaigns.

Mars Stealer Developer Overwhelmed by New RequestsMars Stealer Developer Overwhelmed by New Requests

Threat analysts at Morphisec report seeing several of these new campaigns, including one with a cracked version of the malware circulating with instructions on how to use it.

OpenOffice campaign

A new Mars Stealer campaign discovered by Morphisec uses Google Ads ads to rank cloned OpenOffice sites highly in Canadian search results.

Poisoning Google search results with malicious adsPoisoning Google Search Results With Malicious Ads (Morphisec)

OpenOffice is a once popular open-source office suite now owned by the Apache foundation and surpassed by LibreOffice, which started as its fork in 2010.

However, OpenOffice still enjoys a respectable number of daily downloads from those looking for a free document and spreadsheet editor. The threat actors may not have cloned the much more popular LibreOffice as that would result in its quick removal due to numerous reports.

Malicious site compared to the real oneMalicious site compared to the real one (Morphisec)

The OpenOffice installer on the fake site is actually a Mars Stealer executable file packed with the Babadeda crypter or the Autoit loader, so the victims unknowingly infect themselves.

Due to an error in the configuration instructions of the cracked version, the operator exposed the ‘logs’ directory of the victims, giving full access to any visitor.

A log is a zip file containing data stolen by an information-stealing trojan and uploaded to the threat actors’ command and control servers.

Directory where stolen data (logs) is storedDirectory where stolen data (logs) is stored – Morphisec

In this campaign, the stolen information produced by Mars Stealer appears to include browser data, browser extension data, credit cards, IP address, country code, and time zone.

Since the threat actor infected themselves with their copy of Mars Stealer while debugging, their sensitive information was also exposed.

This flaw allowed the researchers to attribute the attacks to a Russian speaker and discover the threat actor’s GitLab accounts, the stolen credentials used to pay for Google Ads, and more.

A threat to crypto assets

Mars Stealer is a growing threat, promoted on more than 47 darknet sites and hacking forums, Telegram channels and “unofficial” distribution channels such as the cracked package.

Morphisec says that the operators of these info stealers have a strong focus on cryptocurrency assets.

Overview of stolen logs from one campaign operatorOverview of stolen logs from one campaign operator (Morphisec)

The most stolen browser plugin from the campaign analyzed is MetaMask, followed by Coinbase Wallet, Binance Wallet and Math wallet, all of which are “hot” wallets for managing cryptocurrency assets.

Morphisec also identified references from a healthcare infrastructure provider in Canada and saw signs of compromise at several leading Canadian service companies.

To protect against info stealers, make sure to click on official sites and not Google Ad results and always scan downloaded executables on your AV before launching.

For those looking for a deep technical dive into the new Mars Stealer malware, read 3xp0rt’s analysis of the new malware variant.

This post Mars Stealer malware pushed through OpenOffice ads on Google

was original published at “”