Popular Crypto Wallet Used to Spread Mars Stealer Malware

Industry: N/A | Level: Tactical | Source: Cyble

Threat actors crafted a fictitious website masquerading itself as Atomic Wallet, a popular cryptocurrency non-custodial decentralized wallet distributing Mars information stealing malware. The discovery was made by information security researcher, Dee using the Twitter account @ViriBack. Although the phony website was reported on Monday, August 1st, 2022, at the time of our post on August 4th, the fictitious website still remained active. When comparing the two websites side by side, it is immediately clear the imposter site is not an exact copy as there are differences in web design. However, the Atomic Wallet brand, logos, and themes are all present on the fictitious site. Victims are likely brought to the fictitious version of the site through malvertising campaigns, spam, and/or SEO poisoning. When downloading the "wallet" for Windows, a zip file containing a bat file is provided. The host's PowerShell executable is copied into the current directory to be renamed as AtomicWallet_Setup.bat.exe and is hidden using the attrib command. Following modifications to Windows Defender to exclude downloaded executables, Mars Stealer can be installed to exfiltrate host information.

Anvilogic Scenario:

• Mars Information Stealer Malware - Infection

Anvilogic Use Cases:

• Attrib.exe Metasploit File Dropper
• Modify Windows Defender
• Executable File Written to Disk

‍