- Oski Stealer a new malware is found stealing sensitive data like Passwords, private Key from browser data.
- The malware is using standard infection methods such as phishing attacks and is also prominently distributed via drive-by downloads.
- The C&C domain is hosted on a server in Russia and was updated recently after being created last month.
Attempts towards cyber and data security have received yet another setback as a new malware dubbed as Oski Stealer is on a rampage, targeting internet browsers and cryptocurrency wallets with the majority of the victims belonging to the United States.
The successfully operating information stealer promoted on underground cyber forums, especially in those belonging to Russia said Aditya K Sood in a report shared with Security Week.
With limited information currently available about the working of the malware, analysts believe that designed to collect sensitive information like credentials, credit card numbers and wallet account password. Its dangerous impact has been the focus of most discussions as it has already stolen over 50,000 passwords.
The malware is using standard infection methods such as phishing attacks and is also prominently distributed via drive-by downloads. It acts as a native piece of software and can install on both x86 and x64 versions of Windows 7, 8, 8.1 and 10, without admin rights.
After infecting a machine, the malware attempts retrieving sensitive information from web browsers based on Chromium and Firefox along with a special focus on Filezilla and crypto wallets like Bitcoin Core, Ethereum, ElectrumLTC, Monero, Electrum, Dash, Litecoin, ZCash.
The malware is specifically programmed to retrieve credential by performing man-in-the-browser attacks, i.e. by hooking the browser processes with DLL injections and extracting session cookies which reveal wallet information from the registry and browser SQLite database.
It also undertakes Data exfiltration through HTTP POST requests which sent in a compressed format with a zipped file or custom encryption. The data for exfiltration is in records of a folder in ProgramData directory.
Security researchers have been able to access its command and control server through which information on ongoing activity extracted. The C&C domain is hosted on a server in Russia and was updated recently after being created last month. It can access on any internet-connected device.
Talking about the speed of its expansion, the researcher told that the dashboard increased its number of logs and compromised password from 88 and 43,336 to 249 and 49,942 within just 10 hours of accessing the server.
Soon, the record increased to 268 and stolen passwords crossed 50,000. The malware seems to be mainly targeting the United States, and more than 97% of the data stolen from Chromium-based web browsers. The most commonly stolen data is google account passwords.