Threat Research

Cyble – Fake Atomic Wallet Website Distributing Mars Stealer

Securonix

Threat actors impersonate Atomic Wallet with a phishing site to deliver Mars Stealer, a credential-theft malware. The campaign uses a staged download chain, PowerShell, AES decryption, and a Discord-hosted payload that exfiltrates data to a C2 server. #MarsStealer #AtomicWallet #Phishing #Discord #Bitly

Keypoints

  • Phishing site impersonates Atomic Wallet to lure victims into downloading malware.
  • User interaction with the site leads to a download page offering Atomic Wallet for Windows, iOS, and Android.
  • The delivered payload arrives as a ZIP containing a BAT/EXE chain that elevates privileges and hides the executable.
  • The BAT/PowerShell sequence decodes base64 content, decrypts it with AES, and decompresses a Gzip stream to load Mars Stealer.
  • Mars Stealer targets browser wallets and extensions, stealing credentials and other sensitive data, then exfiltrates to a C2 (Discord-distributed payload).
  • IOCs include specific file hashes and URLs, notably the atomic-wallet.net phishing domain and a Bitly shortened download link.
  • Mitigation tips cover avoiding pirated software, enforcing MFA, and deploying DLP and endpoint protections.

MITRE Techniques

  • [T1566] Phishing – The phishing site uses the icon and name of the Atomic wallet to trick users. “The phishing site “hxxp://atomic-wallet[.]net” uses the icon and name of the Atomic wallet. Additionally, the Threat Actor is trying to copy the UI of a genuine website to trick the user, as shown in the below image.”
  • [T1204] User Execution – When the user interacts with the “Download” button, the phishing site redirects to the download options page, where the user can download Atomic wallet for Windows, iOS, and Android, as shown in the below image.
  • [T1564] Hidden Files and Directory – The BAT file hides the executable using the attrib command. “hiding the .exe file using the attrib command.”
  • [T1027] Obfuscated Files or Information – The BAT file decodes the base64-encoded content and decrypts it using an AES algorithm that stores a Gzip Compressed stream in the memory. “decodes the base64-encoded content and decrypts it using an AES algorithm that stores a Gzip Compressed stream in the memory.”
  • [T1555] Credentials from Password Stores – The malware gathers user credentials, system information, and other sensitive data.
  • [T1539] Steal Web Session Cookies – The malware gathers user credentials, system information, and other sensitive data.
  • [T1552] Unsecured Credentials – The malware gathers user credentials, system information, and other sensitive data.
  • [T1528] Steal Application Access Token – The malware gathers user credentials, system information, and other sensitive data.
  • [T1082] System Information Discovery – The malware gathers system information.
  • [T1041] Exfiltration Over C2 Channel – The malware exfiltrates the stolen data to the C&C server.

Indicators of Compromise

  • [SHA256] Hashes of files – 33d0d9fe89f0dba2b89347a0e2e6deb22542476d98676187f8c1eb529cb3997f, 10afe233525aaf99064e4e444f11a8fc01f8b9f508e4f123fd76b314a6d360f9
  • [SHA1] Hashes of files – dfdbb09661ee90ad4e88e7b0510653c93485a4b2, 0f6e3442c67d6688fae5f51b4f60b78cd05f30df
  • [MD5] Hashes of files – 3004914cdfa67357410e6f0c9a091655, 10f0d3a64949a6e15a9c389059a8f379
  • [URL] Malware distribution site – hxxps://atomic-wallet[.]net, Bitly short link – hxxps://bit[.]ly/3PRDyH8

Read more: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-distributing-mars-stealer/