"Hackers Are Locking Out Mars Stealer Operators From Their Own Servers"

A security research and hacking startup discovered a coding flaw that enables locking out Mars Stealer malware operators from their own servers and releasing their victims. Mars Stealer is a data-stealing Malware-as-a-Service (MaaS) that allows cybercriminals to rent access to infrastructure in order to launch their own attacks. The malware is often distributed through email attachments, malicious advertisements, and torrented files on file-sharing websites. Once infected, the malware steals a victim's passwords, two-factor codes from their browser extensions, and the contents of their cryptocurrency wallets. It can also deliver other malicious payloads, such as ransomware. A cracked version of the Mars Stealer malware was leaked online earlier this year, allowing anyone to build their own Mars Stealer command-and-control (C2) server. However, its documentation was flawed, leading would-be bad actors to configure their servers in a way that would accidentally expose log files with user data stolen from victims. In some cases, the operator would accidentally infect themselves with malware, thus exposing their own personal information. Mars Stealer gained popularity in March following the removal of Raccoon Stealer, another prevalent data-stealing malware. This resulted in an increase in new Mars Stealer campaigns, which included the mass-targeting of Ukraine following Russia's invasion, as well as a large-scale effort to infect victims with malicious advertisements. By April, security researchers had discovered over 40 servers hosting Mars Stealer. Buguard says the vulnerability it discovered in the leaked malware allows it to remotely break in and defeat Mars Stealer C2 servers, which are used to steal data from infected victims' computers. According to Youssef Mohamed, the company's CTO, once exploited, the vulnerability deletes the logs from the targeted Mars Stealer server, terminates all active sessions that disconnect from the victims' computers, and scrambles the dashboard's password so that the operators cannot log back in. This article continues to discuss the flaw that could lead to Mars Stealer malware operators being locked out of their own servers. 

TechCrunch reports "Hackers Are Locking Out Mars Stealer Operators From Their Own Servers"