You really don’t want this nasty data-stealing malware on your PC…
Oski Stealer is powerful data-stealing malware which has been widely used in phishing campaigns over the last two years.
What does it do?
Steals passwords stored in your Chrome or Firefox browser.
Steals email credentials stored in your email client.
Steals FTP credentials and a screenshot of your desktop.
Steals crypto currencies such as Bitcoin Core and Ethereum.
Steals data stored on your PC.
Where do hackers acquire this software?
It can be bought on the DarkWeb for as little as $70. For most cyber-criminals, this is ready-to-go piece of exploit-ware.
How does it get installed on your PC?
Normally the user inadvertently downloads this malware onto their PC system by opening email attachments.
Why doesn’t anti-virus or endpoint security detect it?
The code of Oski Stealer is obfuscated or hidden which means that anti-virus or endpoint security software can’t detect it. Moreover, just before its real payload is delivered, it disables the Anti-malware Scan Interface (AMSI) of Windows operating system. This means that Windows Defender will not be able to scan it. Very smart huh…
What damage does it do when it gets installed on your PC?
It usually arrives via a Microsoft Office attachment such as Word or PowerPoint.
A curiosity lure such as “request for quotation” is usually used to entice the victim into clicking the attachment.
Once opened, the victim is invited to “Enable Editing” in order to view the document. If clicked, this simple action sets in train a highly elaborate process. The macro creates a Windows shell execution script which triggers a Microsoft HTML process to call up a malicious URL (usually in shortened format). The HTML file contains a Visual Basic script which downloads a trojan which in turn downloads Oski Stealer. Once installed, Oski Stealer communicates with a C2 server via a HTTP POST request. The bad actor can even program Oski to collect and exfiltrate specific file types.
How do I prevent the Oski Stealer getting on my PC?
Users need to be warned about what attachments they download, even from known senders. Remember that even a known email address may be under the control of a hacker. User susceptibility can be tested using periodic phishing simulations.
Users should be warned that storing usernames and passwords in their browsers, while very convenient can be also very risky. Instead, they should use password managers like Bitwarden or whatever password management tool is recommended by their organisation’s IT support team.
PowerShell should be disabled on user’s PCs if not used regularly. (see image above)
Users should be very vigilant when it comes to emotive emails to persuade them to open the attachments. Common emotional lures include curiosity, loss aversion, deference to power, greed and even shock. Users should be warned that all email attachment types are potential vectors for malware.