Oski: A ‘Sophisticated’ Info Stealer that Didn’t Come Close to Evading Lastline

Oski: A ‘Sophisticated’ Info Stealer that Didn’t Come Close to Evading Lastline

Reading the headlines today, it’s safe to say that advanced malware poses a challenge to many of our traditional network security defenses. These malicious programs use an ever-increasing array of sophisticated tactics and evasive techniques to slip past our security walls. Once inside our castle they then have free reign to move about our network as they please, steal whatever data they want and exfiltrate this information back to their handlers. In many cases the only way an organization discovers their data has been stolen is by notification from an external party!

This blog discusses a relatively new sophisticated malware family named Oski. I’ll spend some time going over the Oski info stealer’s history and discuss how this malware operates. Once I’ve identified why Oski poses a threat to organizations, I’ll discuss how a Network Detection and Response (NDR) solution can help us defend against this threat.

A Deep Dive into Oski’s Operational Capabilities

As reported by Threatpost, researcher Aditya K. Sood spotted the first dark web advertisements for Oski back in December 2019. Sood and his team decided they wanted to investigate further, and as part of that they were able to compromise the malware’s web-based PHP command-and-control server, which was hosted in Russia at the time.

By viewing the exposed dashboard on the server, researchers learned a great deal about Oski and the way it operates. They found out that an infection has multiple ways of being delivered: drive-by downloads, phishing attacks, or attached to an exploit kit are all vectors of infection. A closer look into these infection vectors revealed that Oski could arrive on a machine as either an archive file or an executable.

The dashboard offered a glimpse into Oski’s extensive information-stealing capabilities. Specifically, Sood and his team observed that the malware was capable of using a DLL injection to hook the processes of no less than two dozen popular web browsers. This tactic enabled Oski to extract a user’s stored credentials. The researchers also found that the stealer could obtain credentials from the registry, passwords from the browser, SQLite databases, and stored cookies, including those pertaining to popular cryptocurrency wallets.

Sood explained that Oski ultimately exfiltrated these and other data sources deemed valuable by its handlers. As quoted by Threatpost:

“The C2’s domain name in the form of string is hardcoded in the binary after configuration is specified. Oski… uses [the] HTTP protocol to transmit data from the compromised end-user system. Data is transmitted as part of HTTP POST body and sent in a compressed format (i.e., a zipped file or using custom encryption for the HTTP POST body).”

Initially, research found that Oski had stolen more than 43,000 passwords primarily from campaigns targeting Google users in North America. But the total haul of stolen credentials increased to nearly 50,000 within a matter of hours. Since then, the malware has expanded its sights to include China, among other targeted geographies. It’s assumed that this number continues to grow at a substantial rate on a daily basis.

Why Oski Is Such a Concern

What makes Oski such a concern for all of our network security measures is that it can fly under the radar. In particular, Sood observed that the malware was capable of installing itself on a machine without any explicit administrative rights. Additionally, researchers noticed that the malware came in a wrapper payload that self-destructed once it loaded in the system. This technique effectively concealed the tracks of an Oski infection, at least when it comes to traditional security controls.

Sood found that the malware contains only an intermediate level of sophistication at the time of analysis, but that it’s becoming increasingly advanced:

“It is an ongoing threat and we are expecting more advancements and infections to be seen across the Internet targeting different organizations, browsers, etc. The number of active instances for command-and-control panels are not high and even in underground forums, the advertisement for Oski stealer [only started] to come up recently, like couple of weeks back. The idea is to connect the different indicators to assume the Oski stealer has just started expanding its control.”

Caught in Lastline’s Crosshairs

Notwithstanding its rising level of sophistication, Oski failed to evade detection by Lastline’s NDR platform, Lastline Defender. Lastline Defender gave all variants of Oski it has analyzed a maliciousness score of 100/100. Lastline’s unique ability to tear apart files and flag abnormal activity at the network level meant that Oski’s true nature was never in doubt. On a more granular level, Lastline Defender detected Oski at 15 different stages of its infection chain. Three of these detection points all raised red flags before the malware even had a chance to establish an initial infection.

Lastline Defender also picked up on Oski’s information-stealing activity. It witnessed the malware attempting to read browser data and bitcoin wallet credentials. It even spotted the threat attempting to delete itself after execution.

Fighting Fire with Fire

There’s truth to the saying “fight fire with fire.” When a sophisticated piece of malware like Oski is involved, it’s important to fight it with an NDR solution like Lastline Defender. It allows you to flexibly deploy sensors throughout your infrastructure, providing visibility into both abnormal and malicious objects and activity. You can also configure Lastline Defender’s APIs to accept unknown files sent from third-party security products, thereby expanding visibility into your network even further.

You can then use this visibility to watch for suspicious behavior, such as an unauthorized program moving throughout the network and attempting to exfiltrate sensitive information to a remote location. In many cases Lastline Defender will stop a threat before it ever attempts to move laterally inside your network, but if it never sees the initial infection or binary involved (for example, if the compromised device was off-network or on an unprotected segment at the time of infection), it will detect the attempt by the malware to either infect other machines or call home with its bounty.

Strengthen your defenses against advanced malware with Lastline Defender – you can have a sensor up and running inside your environment in as little as 30 minutes and instantly improve your security posture.

Richard Henderson

Richard Henderson

Richard Henderson is Head of Global Threat Intelligence, where he is responsible for trend-spotting, industry-watching, and evangelizing the unique capabilities of Lastline’s technologies. He has nearly two decades of experience and involvement in the global hacker community and discovers new trends and activities in the cyber-underground. He is a researcher and regular presenter at conferences and events and was lauded by a former US DHS undersecretary for cybersecurity as having an “insightful view” on the current state of cybersecurity. Richard was one of the first researchers in the world to defeat Apple’s TouchID fingerprint sensor on the iPhone 5S. He has taught courses on radio interception techniques multiple times at the DEFCON hacker conference. Richard is a regular writer and contributor to many publications including BankInfoSecurity, Forbes, Dark Reading, and CSO.
Richard Henderson