⚠️ Overview

Oski Stealer is a commodity information stealer malware first identified in mid-2019 by researchers at Malwarebytes and Proofpoint, marketed on Russian-language cybercrime forums as a password and credential theft tool. It belongs to the Stealer category, targeting browser-stored credentials, cryptocurrency wallets, and system information. The malware is attributed to an unknown developer or small group operating under the alias "Oski" and is often distributed via malicious spam campaigns or as a secondary payload from downloaders like SmokeLoader.

🔧 Technical Capabilities

Oski Stealer primarily exfiltrates data from web browsers including Chrome, Firefox, Edge, and Opera by parsing SQLite database files for saved logins, cookies, and autofill data. It also targets over 20 cryptocurrency wallet applications such as Electrum, Exodus, and Bitcoin Core, along with FTP clients like FileZilla and WinSCP. The stealer uses HTTP POST requests to a hardcoded command-and-control (C2) server, encrypting stolen data with a simple XOR algorithm before transmission. Persistence is achieved via registry run keys or scheduled tasks, while evasion techniques include anti-debugging checks, process hollowing, and the use of encrypted strings to avoid static signature detection. According to MITRE ATT&CK, techniques employed include T1555 (Credentials from Password Stores) and T1059.001 (Command and Scripting Interpreter: PowerShell) for execution (MITRE ATT&CK ID: S0592).

📜 History & Notable Incidents

Oski Stealer first appeared in underground forums in July 2019, with active campaigns detected through 2020–2021 spreading via phishing emails with weaponized Microsoft Office documents or compressed executables. In early 2020, a campaign distributing Oski Stealer via fake software cracks impacted thousands of users in the United States and Europe, as reported by Zscaler ThreatLabz. No high-profile corporate victims have been publicly named, but the malware's inclusion in malware-as-a-service bundles has led to its use in targeted credential theft against small businesses and individuals. No CVEs are directly associated with Oski Stealer, as it relies on user execution rather than exploiting system vulnerabilities.

🔍 Detection Indicators

Known file hashes for Oski Stealer samples include SHA256: 7e4b3c1a2f5d8e9c0b1a2f3d4c5b6a7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3 (example hash from VirusTotal; real samples vary widely). Behavioral signatures include creation of files named oski.exe or svchost.crt in %TEMP%, and outbound HTTP connections to IP addresses on non-standard ports (e.g., 8080, 2222) with User-Agent strings mimicking legitimate browsers like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36". Registry persistence may be set at HKCUSoftwareMicrosoftWindowsCurrentVersionRunOsK. Network Indicators of Compromise (IOCs) frequently involve domains registered through anonymous services like Namecheap or Njalla.

☠️ Risk & Impact

Oski Stealer causes significant data exfiltration of sensitive credentials, cryptocurrency wallet private keys, and financial account information, leading to potential financial losses for victims. Affected sectors include individual internet users and small-to-medium businesses, particularly those using unmanaged endpoint devices. The stolen credentials are often resold on dark web marketplaces or used for account takeover attacks, with estimated losses per incident ranging from hundreds to thousands of dollars.

🛡️ Mitigation

Defensive measures include enabling multi-factor authentication on all accounts, using endpoint detection and response (EDR) solutions with behavioral rules flagging SQLite database access by non-browser processes, and blocking outbound HTTP connections to known malicious IP addresses via network firewalls. Regular patching of software and user awareness training to avoid opening suspicious email attachments are critical. Organizations can deploy YARA rules from Proofpoint's threat research (2020) to detect Oski Stealer payloads.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.