Posted on November 23, 2022 at 8:58 AM
Researchers have revealed that a coding vulnerability is locking out operators of the Mars Stealer malware from their servers and freeing their victims.
Mars Stealer enables their operators to have access to the infrastructure to carry out their attacks. The data-stealing malware is usually delivered as malicious ads, and email attachments, and shared with torrented files on file-sharing platforms. After infecting the victim’s computer, the malware steals the two-factor codes and passwords from their browser extensions. It also tries to steal the contents of the victim’s crypto wallets. Additionally, the malware can deliver other malicious payloads such as ransomware.
Earlier this year, security researchers discovered an infiltrated or cracked copy of the Mars Stealer malware that was exposed online. This can enable anyone to build and launch their own Mars Stealer C2, although it has flawed documentation. This means that actors that wanted to use the malware configured their servers such that it would unknowingly expose the logged files.
The Vulnerability Can Allow The Actors To Unknowingly Infect Their Systems
In other instances, the threat actor would unknowingly infect themselves with malware and leave their private data exposed. Mars Stealer became widely known earlier in March this year after the Raccoon Stealer, another very popular data-stealing malware, was taken down.
Following the takedown, the Mars Stealer campaigns became more rampant. This included the large-scale campaign in April and a mass-targeting of Ukraine weeks after Russia’s invasion.
Security researchers stated that they discovered over 40 servers hosting Mars Stealer, and more may be discovered in the coming weeks.
Cyber security and penetration testing startup Buguard said the flaw it discovered in the leaked malware allows it to remotely infiltrate and spoil Mars Stealer command and control servers that are utilized when stealing data from the targeted computer.
The Flaw, Once Exploited, Deletes All The Active Sessions
Chief Technology Officer of the Company, Youssef Mohamed, commented on the development. He stated that once the flaw is exploited, it deletes the logs from the Mars Stealer server and deletes all the active sessions that are still linked to the victims’ systems. Afterward, it scrambles the password on the dashboard to prevent the operators from logging back in.
Mohamed said it means that the operator completely loses access to the hacked data, and would have to start afresh to launch attacks on targets.
“Hacking back” is the process of actively targeting the servers of bad actors. It is an old and hotly debated method both for its benefits and flaws. This practice, although carried out by some private organizations, is solely reserved for government agencies in the U.S. The U.S. agencies usually use the exploit method to get into the systems of threat actors who have previously exploited victims’ servers.
Five Mars Stealers Have Been Blocked
One major principle in good-faith security research is to investigate but don’t alter something found online if it belongs to someone else.
However, while the main practice is to request that domain registers and web hosts shut down malicious sites, threat actors still launch their operations in other countries that are lenient with their online security laws. There, they can set up shop and carry out serious malicious activities with legal impunity. They can use various forms of VPN networks to hide their originating IP addresses, making it more difficult for security researchers to discover their locations.
Mohamed said his security team has uncovered and blocked five Mars Stealer servers so far, but many are still out there. It is still working to discover more to limit the info stealer’s penetration. Four of the discovered malware servers have disappeared online and are no longer accessible.
But the security team has not published the vulnerability because it doesn’t want to give threat actors any reason to explore them. In most vulnerability discoveries, the security team usually keeps its findings a secret until an adequate patch to the said vulnerability has been released by the software vendor.
Buguard noted that details of the flaw will be shared with authorities to help them take down more Mars Stealer operators and prevent more exposures.
The flaw also exists in Erbium, another info-stealing malware that operates and has the same malware-as-a-service model as Mars Stealer. The security researchers also noted that the vulnerability could be empowered and exploited by threat actors targeting private institutions and government agencies.