Oski Info Stealer Empties Crypto Wallets, Extracts Browser Data

January 25, 2021 · 4 min read

Data theft malware continues to get the ride of popularity among financially-motivated hackers. Increased interest boosts the development of new sophisticated strains promoted on the underground market. Obviously, the cheapest and simultaneously functional offerings grab attention first. This is where Oski stealer comes to the spotlight as highly dangerous and relatively low-priced malware.

Oski Stealer Functionality

Oski information stealer emerged at the end of 2019. Since then, it has been actively advertised on Russian dark web forums as a malware-as-a-service (MaaS) strain. The low price of $70-$100 and extended malicious capabilities made the malware a strong reputation among the hackers community.

Oski can steal a vast amount of sensitive information from unsuspecting victims. In particular, it can dump data from over 60 different apps. The list includes browsers, crypto wallets, email clients, and more. Additionally, the malware might grab user files from the infected computer, take screenshots, and act as a loader for second-stage payloads.

According to the researchers, the malware might extract login details, cookies, financial and autofill information from more than 30 Chromium- and Mozilla-based browsers. The malware applies DLL injection to hook the browser processes and perform man-in-the-browser attacks. Also, it might steal information about Connected Outlook accounts from the registry, including passwords and sensitive details associated with IMAP and SMTP servers. Another type of targeted apps is crypto wallets, with 28 types on the list, including Bitcoin Core, Ethereum, ElectrumLTC, Monero, Electrum, Dash, Litecoin, and ZCash. Finally, Oski can act as a grabber to collect files from the compromised device. However, this module is optional, so operators might disable or reconfigure it under their purposes.

Oski Info Stealer Analysis

Threat actors use multiple methods to deliver Oski stealer. Security researchers spotted it to be pushed via drive-by downloads, phishing campaigns, and exploit kits in the form of an archive or malicious executable. Remarkably, the malware doesn’t require privileged rights for installations, making the threat more popular and wide-spread.

Upon infection, the malware performs several environmental checks before launching its main functions. Particularly, Oski checks the user language, and if it refers to the Commonwealth of Independent States (CIS) countries, the threat terminates its activity. Such behavior indicates Russia-affiliated hackers probably stand behind Oski development. The second environment check is an anti-emulation test for Windows Defender Antivirus. Once all checks are successfully passed, the malware starts its data theft activities. 

Although Oski’s malicious potential is impressive, researchers note the lack of evasion functionality. Before dumping credentials from user apps, Oski arranges its working environment and downloads several DLLs from the command-and-control server. It is a very notable activity, which is frequently detected by AV engines. However, the malware is rather successful at hiding its traces. Specifically, Oksi deletes all the files, logs, DLLs from the disk, simultaneously killing the affiliated malicious processes and removing files.

Oski Detection

To enhance proactive detection of Oski stealer within your network, check the latest Sigma rule released by our Threat Bounty developer Osman Demir


The rule is translated for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness

EDR: Carbon Black, Microsoft Defender ATP


Tactics: Credential Access, 

Techniques: Credentials from Web Browsers (T1503), Credentials in Files (T1081)

Unless you don’t have a paid access to the Threat Detection Marketplace, activate your free trial under a community subscription to unlock the Sigma rule for Oski detection.

Sign up to the Threat Detection Marketplace to supercharge your defense capabilities! SOC Prime industry-first Threat Detection Content-as-a-Service (CaaS) platform aggregates SIEM & EDR Detection and Response content with over 90,000 rules, parsers, and search queries, Sigma and YARA-L rules easily convertible to various formats. The content base enriches every day with the help of 300+ security practitioners. Have a desire to become a part of our threat hunting community? Join Threat Bounty Program!

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts