Security News > 2022 > March > Mars Stealer malware pushed via Google Ads and phishing emails
Cybercriminals trying to foist the Mars Stealer malware onto users seemingly have a penchant for one particulat tactic: disguising it as legitimate, benign software to trick users into downloading it.
In a recent campaign described by Morphisec malware researcher Arnold Osipov, the threat actor distributed the malware via cloned websites offering well-known software such as Apache Open Office.
"The actor is paying for these Google Ads campaigns using stolen information," Osipov noted.
In another campaign, documented by the Ukrainian CERT, a threat actor is pushing the malware via emails impersonating the Ministry of Education and Science of Ukraine, offering "a new program for writing in the magazine" to Ukrainian citizens and organizations.
Mars Stealer is relatively new malware based on the Oski Stealer.
The threat actor compromised his own computer with the Mars Stealer while debugging, so they gleaned even more insight and information that lead them to the actor's GitLab account and the discovery that the threat actor is a Russian speaker.
News URL
https://www.helpnetsecurity.com/2022/03/30/mars-stealer/
Related news
- Horabot Malware Targets 6 Latin American Nations Using Invoice-Themed Phishing Emails (source)
- New Morphing Meerkat Phishing Kit Mimics 114 Brands Using Victims’ DNS Email Records (source)
- Only 1% of malicious emails that reach inboxes deliver malware (source)
- Google is making sending end-to-end encrypted emails easy (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)
- PoisonSeed phishing campaign behind emails with wallet seed phrases (source)
- CISA and FBI Warn Fast Flux is Powering Resilient Malware, C2, and Phishing Networks (source)
- Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft (source)
- Midnight Blizzard deploys new GrapeLoader malware in embassy phishing (source)
- Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials (source)