Oski Stealer Threatens Crypto Wallet Owners by Targeting Private Keys

The sad reality is that selling malware could be an extremely lucrative business. There's no shortage of wannabe cybercriminals who don't have the skills to produce a noteworthy threat but are more than willing to spend cash on tools that other people develop. This suits the malware creators perfectly because they get to make money from their programming skills, and at the same time, the fact that they don't launch the campaigns themselves means that they are less likely to get caught. The demand is enormous, and the customers are picky, though. The competition is stiff, and it's not very easy for a newcomer to make a significant impact. Earlier this month, however, Aditya K Sood, a security researcher, discovered a recently released information stealer that might be powerful enough to make a name for itself.

It's called the Oski stealer, and it's been bought and sold on the underground markets for about two months now. For the time being, it seems to be mostly aimed at users in North America and China, but given that it's advertised on hacking forums, this can change very quickly. But what makes it stand out from the crowd?

A versatile information stealer targeting browsers and cryptocurrency wallets

The fact that paying cybercriminals use Oski in numerous different campaigns means that there are multiple infection vectors. According to security news outlet SecurityWeek, the stealer is distributed through a variety of means, including drive-by downloads, exploit kits, and phishing. It works on the 32- and 64-bit versions of Windows 7, Windows 8/8.1, and Windows 10.

Oski has several methods for stealing login credentials. It can extract the data from entries in Windows' registry, browsers' SQLite databases, session cookies, and it can also perform Man-in-the-browser attacks by hooking up to the browser's process with the help of a DLL injection. All in all, it's a rather versatile password stealer.

It works on virtually all Firefox- and Chromium-based browsers, and it can also pilfer the saved login data from the FileZilla FTP client as well as the private keys for a number of popular cryptocurrency wallets. The stolen credentials are first stored inside the %ProgramData% folder, after which they are compressed in a ZIP file and sent to the crooks' Command & Control (C&C) server via an encrypted HTTP POST request.

Oski is spreading fast

Speaking of the C&C, while analyzing the Oski sample he'd discovered, Aditya K Sood saw a Russian IP, which led him to one of the stealer's Command & Control servers. According to ThreatPost, he brute-forced his way in, and he discovered that the malware is spreading at an alarming rate. When he logged in for the first time, Sood saw logs from 88 infected computers and a little over 43 thousand stolen passwords. About 10 hours later, he took another peek and discovered logs from a whopping 249 infected hosts. Meanwhile, the number of compromised login credentials had grown to just under 50 thousand.

When he spoke to ThreatPost a couple of weeks ago, Sood said that Oski was showing no signs of slowing down, which means that people must be aware of the danger. Unfortunately, because of the multitude of different distribution methods, it's difficult to put together a list of precautions that you can take. Some conventional infosec wisdom should help a lot, though. Be careful with the links and attachments that land in your inbox, try to stick to reputable websites when browsing, and keep your software patched up.