Hackers block Mars Stealer operators from accessing their own servers • CableFree TV

The security research and hacking startup says it has discovered a vulnerability in its code that allows it to block Mars Stealer malware operators from their own servers and free their victims.

Mars Stealer is a data stealing malware-as-a-service that allows cybercriminals to rent access to infrastructure to carry out their own attacks. The malware itself is often distributed as email attachments, malicious ads, and bundled with torrent files on file sharing sites. Once infected, the malware steals victims’ passwords and two-factor codes from their browser extensions, as well as content their cryptocurrency wallets. Malware can also be used to deliver other malicious payloads such as ransomware.

Earlier this year, a hacked copy of Mars Stealer malware was leaked online, allowing anyone to create their own Mars Stealer command and control server, but its documentation was spoiled, and directed potential attackers to configure their servers in such a way as to inadvertently expose log files containing user data stolen from the victim’s computer. In some cases, the operator has inadvertently infected himself with malware and disclosed his personal data.

Mars Stealer gained momentum in March after Raccoon Stealer destruction, another popular data stealing malware. This led to a surge in new Mars Stealer campaigns including mass targeting of Ukraine weeks after the Russian invasion, as well as large-scale attempts to infect victims with malicious ads. By April, security researchers said they had discovered over 40 servers Mars Stealer Hosting.

Now Buguard, a penetration testing startup, has said that a vulnerability found in a malware leak allows it to remotely hack into and “beat” Mars Stealer’s command and control servers, which are used to steal data from infected victim computers.

Youssef Mohamed, the company’s chief technology officer, told TechCrunch that the vulnerability, once exploited, deletes logs from the target Mars Stealer server, terminates all active sessions that cut ties to victims’ computers, and then encrypts the control panel password to prevent operators from logging in.

Mohamed said this means the operator loses access to all of his stolen data and will have to re-target and re-infect his victims.

Actively targeting servers by attackers and cybercriminals known as “hack back” is unorthodox and hotly debated for both its merits and demerits, and why this practice in the US is reserved exclusively for government agencies. A generally accepted principle of good faith security research is to look but not touch anything found on the Internet if it does not belong to you, but only document and report it. But while a common tactic is to require web hosts and domain registrars to shut down malicious domains, some attackers are opening their stores in countries and networks where they can carry out their malware operations largely without legal impunity and without fear of legal action. persecution.

Mohamed said his company has so far located and neutralized five Mars Stealer servers, four of which have since gone down. The company is not releasing the vulnerability so as not to inform operators, but said it will share details of the vulnerability with authorities to help eliminate more Mars Stealer operators. The vulnerability also exists in Erbium, another data-stealing malware with a malware-as-a-service model similar to that of Mars Stealer, Mohamed said.

By Peter Kavinsky

Peter Kavinsky is the Executive Editor at