Security has never been a strong point of browser-based cryptocurrencies for storing bitcoin (BTC), ether (ETH) and other cryptocurrencies. However, new malware is complicating the security of online wallets by directly attacking crypto wallets that act as browser extensions such as MetaMask, Binance Chain Wallet or Coinbase Wallet.
The new malware, dubbed Mars Stealer by the developers, is a powerful Oski trojan that steals information from 2019, according to security researcher 3xp0rt. It targets over 40 browser-based cryptocurrencies, as well as popular two-factor authentication (2FA) extensions with a capture feature that steals users’ private keys.
MetaMask, Nifty Wallet, Coinbase Wallet, MEW CX, Ronin Wallet, Binance Chain Wallet and TronLink are listed as some target wallets. The security expert notes that malware can target extensions in Chromium-based browsers, with the exception of Opera. Unfortunately, this means that some of the most popular browsers such as Google Chrome, Microsoft Edge, and Brave have made the list. While both are protected from extension-related attacks, Firefox and Opera are also vulnerable to hacking.
RELATED: ‘Less Sophisticated’ Malware Steals Millions: Sequence Analysis
Mars Stealer can be distributed through various channels such as file hosting, torrent clients, and other suspicious downloaders. After infecting the system, the first malware checks the language of the device. If it matches the language identifier of Kazakhstan, Uzbekistan, Azerbaijan, Belarus, or Russia, the program leaves the system without any malicious action.
For the rest of the world, the malware targets a file containing sensitive information such as address information for cryptographic wallets and private keys. It then leaves the system, removing any presence when the theft is complete.
Hackers are currently selling the Mars Stealer for $140 on dark online forums, which means the barrier to accessing the Trojan for attackers is relatively low. Users who store cryptocurrencies in browser-based wallets or use browser extensions such as Authy to use two-factor authentication (2FA) are warned about clicking on suspicious links or downloads.