Security was never the strong suit of browser-based crypto wallets to store Bitcoin (BTC), Ether (ETH) and other cryptocurrencies. However, new malware makes the safety of online wallets even more complicated by directly targeting crypto wallets that work as browser extensions such as MetaMask, Binance Chain Wallet or Coinbase Wallet.
Named Mars Stealer by its developers, the new malware is a powerful upgrade on the information-stealing Oski trojan of 2019, according to security researcher 3xp0rt. It targets more than 40 browser-based crypto wallets, along with popular two-factor authentication (2FA) extensions, with a grabber function that steals users’ private keys.
MetaMask, Nifty Wallet, Coinbase Wallet, MEW CX, Ronin Wallet, Binance Chain Wallet and TronLink are listed as some of the targeted wallets. The security expert notes that the malware can target extensions on Chromium-based browsers except Opera. Sadly, it means some of the most common browsers such as Google Chrome, Microsoft Edge and Brave made it to the list. Also, while they are safe from extension-specific attacks, Firefox and Opera are also vulnerable to credential-hijacking.
Related: ‘Less sophisticated’ malware is stealing millions: Chainalysis
Mars Stealer can be spread through various channels such as file-hosting websites, torrent clients and any other shady downloaders. After infecting a system, the first thing the malware does is check the device language. If it matches the language ID of Kazakhstan, Uzbekistan, Azerbaijan, Belarus or Russia, the software leaves the system without any malicious action.
For the rest of the world, the malware targets a file that holds sensitive information such as crypto wallets’ address info and private keys. It then leaves the system by deleting any presence once the theft is complete.
Hackers are currently selling Mars Stealer for $140 on dark web forums, meaning the barrier to access the trojan is relatively low for malicious actors. Users who hold their crypto assets on browser-based wallets or use browser extensions like Authy to utilize 2FA are warned to be cautious against clicking dubious links or downloads.