An emergent and effective data-harvesting tool dubbed Oski is proliferating in North America and China, stealing online account credentials, credit-card numbers, cryptowallet accounts and more.
Oski, likely a Finnish or Nordic variant of the word Oska, meaning “Viking warrior or god” in Samoan, began to appear in Dark Web advertisements beginning in December and possibly earlier, according to researcher Aditya K. Sood.
“The offering could be a part of malware-as-a-offering or operators are even selling the completed package to nefarious buyers,” he told Threatpost in an email interview. “Both designs are possible and can be opted.”
Oski started out targeting victims in North America, but in the last few days has added China to its set of targeted geographies. It’s also virulent: Sood said when he first investigated, Oski had racked up 43,336 stolen passwords, primarily from Google campaigns. About 10 hours later, that number had increased to 49,942, with an in the logs from 88 to 249.
“This confirmed that Oski stealer is extracting credentials at an exponential rate,” according to paper on the threat, shared with Threatpost. That pace, he said, has not slowed down. “The Oski stealer is still picking up infections and now we have seen the gears have shifted from the U.S. to the China region.”
Under the Hood
To investigate Oski, Sood and his team first compromised the malware’s web-based PHP command-and-control server (C2), hosted in Russia, using brute-force techniques.
“We invest efforts in unearthing the live C2 panels and conducting the security assessment to see if intelligence can be obtained,” he explained. “During this process, the inherent weaknesses in C2 panels, including configuration issues, vulnerabilities, weak passwords, allow the access to be obtained.”
The C2’s dashboard revealed that Oski’s theft tactics involve extracting credentials using man-in-the-browser (MitB) attacks by hooking the browser processes using DLL injection, Sood told Threatpost. It also extracts credentials from registry, passwords from the browser SQLite database and stored session cookies of all stripes, including crypto-wallet cookies from Bitcoin Core, Ethereum, Monero, Litecoin and others.
It casts a wide net, also targeting browser credentials in Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Comodo Dragon, Nichrome, Yandex Browser, Maxthon5, Sputnik, Epic, Privacy Browser, Vivaldi, CocCoc, Mozilla Firefox, Pale Moon, Waterfox, Cyberfox, BlackHawk, IceCat, K-Meleon and others.
“Coverage of Oski is significant as it steals stuff from all types of browsers, cryptocurrency wallets, different clients such as FTP, etc.,” Sood told Threatpost.
In terms of data exfiltration, “The C2’s domain name in the form of string is hardcoded in the binary after configuration is specified,” Sood said. “Oski stealer uses HTTP protocol to transmit data from the compromised end-user system. Data is transmitted as part of HTTP POST body and sent in a compressed format (i.e., a zipped file or using custom encryption for the HTTP POST body).”
Oski is Windows-based and supports x86 and x64 versions of Windows 7/8/8.1/10. According to Sood’s investigations, it’s highly effective in its efforts. For instance, it’s distributed by a range of standard infection mechanisms, such as drive-by downloads, phishing attacks and exploit kits; and it can be distributed as direct zipped file or an executable.
It also has the ability to fly under the radar: It can be installed without any explicit administrative rights, and it comes wrapped under a wrapper payload which self-destructs once the Oski is loaded in the system – thus hiding the infection’s tracks.
“If an advanced exploit is used to deliver the payload carrying Oski stealer, it is fair to assume that Oski stealer can stay undetected in the system,” according to the paper.
Sood said that Oski can thus be categorized as having intermediate-level sophistication, moving towards the advanced level; he believes the malware is still only in the early stages of its development.
“It is an ongoing threat and we are expecting more advancements and infections to be seen across the Internet targeting different organizations, browsers, etc.,” he wrote in his paper. He added via email, “The number of active instances for command-and-control panels are not high and even in underground forums, the advertisement for Oski stealer [only started] to come up recently, like couple of weeks back. The idea is to connect the different indicators to assume the Oski stealer has just started expanding its control.”
Users can protect themselves with good surfing habits, applying system updates and patches, avoiding clicking on emailed links and attachments, and staying vigilant when it comes to potential phishing emails, Sood noted.
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.