Cyble-Fake-Atomic-Stealer

Fake Atomic Wallet Website Distributing Mars Stealer

Info Stealer Targeting Browsers and Crypto Wallets

The popularity of Cryptocurrency has increased exponentially over the recent years as dealing with crypto has become relatively hassle-free and more accessible. The financial returns of crypto investments have attracted many investors to invest in crypto markets.

As the demand for crypto investment has increased over the years, we can also see a corresponding rise in the number of crypto wallets. Some popular crypto wallets such as Binance, Atomic, Exodus, Coinbase, Metamask, and Trust are the most commonly used platforms to manage and transact Cryptocurrency.

Despite gaining popularity worldwide, Cryptocurrency also has its downsides. It opens the door for various malicious activities like phishing, scams, hacking, delivering malware, etc.

Cyble Research Labs has constantly been tracking malicious activities targeting Cryptocurrency wallets. During a routine threat-hunting exercise, we came across a Twitter post where a researcher mentioned a fake Atomic wallet site distributing Mars Stealer.

The phishing site “hxxp://atomic-wallet[.]net” uses the icon and name of the Atomic wallet. Additionally, the Threat Actor is trying to copy the UI of a genuine website to trick the user, as shown in the below image.

Figure 1 – Phishing site impersonating Atomic Wallet website

Upon investigating the phishing site, we observed that the TA has invested time in developing a well-designed phishing site to trick victims into downloading the malware.

The phishing site appears to be genuine as the TA provided some attractive content such as Trusted Reviews, Cashback, FAQ, Partners, Contact Us page, Support, and Update History.

Figure 2 – Content on Phishing site to appear legitimate

When the user interacts with the “Download” button, the phishing site redirects to the download options page, where the user can download Atomic wallet for Windows, iOS, and Android, as shown in the below image.

Figure 3 – Download options for the user

The App Store button is inactive while, the Google Play button redirects the user to the genuine Atomic Wallet Play Store link.

When the user clicks on the “Download for Windows” button, it connects to shortened URL “hxxps://bit[.]ly/3PRDyH8” and downloads a Zip file named “Atomic Wallet.zip“.

After a detailed investigation, the downloaded file was identified as a Mars Stealer sample. Mars Stealer was discovered in June 2021 and was available for sale on a few underground cybercrime forums. Mars stealer primarily targets browser extensions, crypto extensions and wallets, and 2FA plugins.

Technical Analysis

The downloaded Zip file contains the “AtomicWallet-Setup.bat” file containing malicious code, as shown in the below image.

Figure 4 – Downloaded Zip file content

Upon execution, the .bat file invokes the Powershell command, enabling the administrative elevation for its execution.

Figure 5 – Executing PowerShell command for admin privileges  

The .bat file then copies powershell.exe into the current directory, renames it as AtomicWallet_Setup.bat.exe, and then hides it using the attrib command.

Figure 6 – Hiding the .exe file using the attrib command

Then, the .bat file executes PowerShell content using AtomicWallet_Setup.bat.exe, which further decodes the base64-encoded content and decrypts it using an AES algorithm that stores a Gzip Compressed stream in the memory.

The below figure shows the code used by the malware to perform AES decryption and GZip Decompression.

Figure 7 – Code for AES Decryption and GZip Decompression

Finally, the malware decompresses the GZip content and loads the final PowerShell code that downloads Mars Stealer from the Discord server to the victim’s %LOCALAPPDATA% location.

Figure 8 – Downloading Mars Stealer from the Discord server

The below figure shows the infection chain of Mars Stealer. After downloading Mars stealer, the .bat file deletes the “AtomicWallet_Setup.bat.exe” from the victim’s machine.

Figure 9 – Infection chain

After successful installation, Mars Stealer steals sensitive information from the victim’s device and exfiltrates the stolen data to the C&C server.

Figure 10 – Malware sending stolen data to the C&C server

Conclusion

According to our research, the TAs behind Mars stealer are adopting sophisticated phishing attacks to distribute Mars Stealer and gather user credentials, system information, and other sensitive data.

The criminals may use compromised credentials to carry out attacks to stay under the radar and avoid tripping any security monitoring rules, thus alerting any victims to the attempted compromise.

Our Recommendations

  • Avoid downloading pirated software from unverified sites.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Keep updating your passwords after certain intervals.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.  
  • Enable Data Loss Prevention (DLP) Solutions on employees’ systems. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1566Phishing
ExecutionT1204User Execution
Defense EvasionT1564Hidden Files and Directory
Defense EvasionT1027Obfuscated Files or Information
Credential AccessT1555
T1539
T1552
T1528
Credentials from Password Stores
Steal Web Session Cookies
Unsecured Credentials
Steal Application Access Token
DiscoveryT1082System Information Discovery
ExfiltrationT1041Exfiltration Over C&C Channel 

Indicators Of Compromise (IOCs)

IndicatorsIndicator TypeDescription
33d0d9fe89f0dba2b89347a0e2e6deb22542476d98676187f8c1eb529cb3997fSHA256Hash of the analyzed bat file
dfdbb09661ee90ad4e88e7b0510653c93485a4b2SHA1Hash of the analyzed bat file
3004914cdfa67357410e6f0c9a091655MD5Hash of the analyzed bat file
10afe233525aaf99064e4e444f11a8fc01f8b9f508e4f123fd76b314a6d360f9SHA256Hash of the analyzed Mars Stealer exe file
0f6e3442c67d6688fae5f51b4f60b78cd05f30dfSHA1Hash of the analyzed Mars Stealer exe file
10f0d3a64949a6e15a9c389059a8f379MD5Hash of the analyzed Mars Stealer exe file
hxxps://atomic-wallet[.]netURLMalware distribution site/C&C server
Scroll to Top