Hackers are locking out Mars Stealer operators from their own servers

A security research and hacking startup says it has found a coding flaw that allows it to lock out operators of the Mars Stealer malware from their own servers and release their victims.

Mars Stealer is data-stealing malware as a service, allowing cybercriminals to rent access to the infrastructure to launch their own attacks. The malware itself is often distributed as email attachments, malicious ads and bundled with torrented files on file-sharing sites. Once infected, the malware steals a victim’s passwords and two-factor codes from their browser extensions, as well as the contents of their cryptocurrency wallets. The malware can also be used to deliver other malicious payloads, like ransomware.

Earlier this year, a cracked copy of the Mars Stealer malware leaked online, allowing anyone to build their own Mars Stealer command and control server, but its documentation was flawed, and guided would-be bad actors to configure their servers in a way that would inadvertently expose the log files packed with user data stolen from victims’ computers. In some cases, the operator would inadvertently infect themselves with malware and expose their own private data.

Mars Stealer gained traction in March after the takedown of Raccoon Stealer, another popular data-stealing malware. That led to an uptick in new Mars Stealer campaigns, including the mass-targeting of Ukraine in the weeks following Russia’s invasion, and a large-scale effort to infect victims by malicious ads. By April, security researchers said they found more than 40 servers hosting Mars Stealer.

Now, Buguard, a penetration testing startup, said the vulnerability it discovered in the leaked malware lets it remotely break in and “defeat” Mars Stealer command and control servers that are used to steal data from victim’s infected computers.

Youssef Mohamed, the company’s chief technology officer, told TechCrunch that the vulnerability, once exploited, deletes the logs from the targeted Mars Stealer server, terminates all the active sessions that cuts ties with the victims’ computers, then scrambles the dashboard’s password so that the operators can’t log back in.

Mohamed said this means the operator loses access to all of their stolen data and would have to target and reinfect its victims all over again.

Actively targeting the servers of bad actors and cybercriminals, known as “hacking back,” is unorthodox and hotly debated both for its merits and its drawbacks, and why the practice in the U.S. is solely reserved for government agencies. A generally accepted principle in good-faith security research is to look but don’t touch something found online if it does not belong to you; only document and report it. But while a common tactic is to request that web hosts and domain registrars shut down malicious domains, some bad actors set up shop in countries and on networks where they can operate their malware operations largely with legal impunity and without fear of prosecution.

Mohamed said his company has discovered and neutralized five Mars Stealer servers so far, four of which subsequently went offline. The company is not publishing the vulnerability as to not tip off operators but said it would share details of the flaw with authorities with the aim of helping take down more Mars Stealer operators. The vulnerability also exists in Erbium, another data-stealing malware with a similar malware-as-a-service model to Mars Stealer, Mohamed said.