Hackers Block Mars Stealer Operators From Their Own Servers TechCrunch

A security research and hacking startup claims to have found a coding flaw that allows it to lock operators of the Mars Stealer malware from their own servers and free their victims.

Mars Stealer is data-stealing malware as a service, allowing cybercriminals to rent access to infrastructure to launch their own attacks. The malware itself is often distributed as email attachments, malicious advertisements, and bundled with torrent files on file-sharing sites. Once infected, the malware steals a victim’s passwords and two-factor codes from their browser extensions, as well as the contents of their cryptocurrency wallets. Malware can also be used to deliver other malicious payloads, such as ransomware.

Earlier this year, a cracked copy of the Mars Stealer malware was leaked online, allowing anyone to build their own Mars Stealer command and control server, but its documentation was flawed and guided potential bad actors to set up their servers. in a way that inadvertently exposes log files filled with stolen user data on the victims computer. In some cases, the operator would inadvertently become infected with malware and expose their own private data.

Mars Stealer gained traction in March after taking down Raccoon Stealer, another popular data-stealing malware. This led to an increase in new Mars Stealer campaigns, including the massive targeting of Ukraine in the weeks following the Russian invasion, and a large-scale effort to infect victims with malicious advertisements. In April, security researchers said they found more than 40 servers hosting Mars Stealer.

Now Buguard, a penetration testing startup, says the vulnerability it discovered in the leaked malware allows it to remotely break into and “defeat” Mars Stealer command-and-control servers. are used to steal data from the victim’s infected computers.

Youssef Mohamed, the company’s chief technology officer, told TechCrunch that the vulnerability, once exploited, deletes logs from the targeted Mars Stealer server, terminates all active sessions that cut ties to victims’ computers, and then scrambles the dashboard password so that the operators cannot log in again.

Mohamed said this means the operator loses access to all of its stolen data and would have to target and re-infect its victims again.

Actively targeting the servers of bad actors and cybercriminals, known as ‘hacking back’, is unorthodox and hotly debated for both its merits and drawbacks, and why the practice in the US is restricted to agencies only. governmental. A generally accepted principle in good faith security research is to look but not touch anything found online if it is not yours, only to document and report it. But while a common tactic is to ask web hosts and domain registrars to shut down malicious domains, some malicious actors set up shop in countries and networks where they can operate their malicious operations largely with full legal impunity and without fear of prosecution.

Mohamed said his company had discovered and neutralized five Mars Stealer servers so far, four of which subsequently went offline. The company is not publishing the vulnerability so as not to warn operators, but said it will share details of the flaw with authorities in an effort to help root out more Mars Stealer operators. The vulnerability also exists in Erbium, another data-stealing malware with a malware-as-a-service model similar to Mars Stealer, Mohamed said.

Leave a Reply

Your email address will not be published. Required fields are marked *