⚠️ Overview

Osno is a .NET-based information stealer first documented by Proofpoint in May 2022, attributed to a financially motivated threat actor tracked as TA570. It belongs to the stealer category, specializing in exfiltrating browser credentials, cryptocurrency wallets, and system information, and is distributed through malvertising campaigns that redirect users to fake download pages.

🔧 Technical Capabilities

Osno propagates via drive-by downloads triggered by malvertising, often using search engine poisoning for keywords like “PDF Converter” or “Zoom Installer”. The malware uses HTTP POST requests to a hardcoded C2 server for data exfiltration, with command and control infrastructure leveraging domains registered through privacy services. Persistence is achieved via a scheduled task named “ObnoxiousLiveness” that runs the payload every 15 minutes. Evasion techniques include obfuscation of the .NET binary using ConfuserEx, API hashing to hide Windows API calls, and checking for sandbox environments by measuring system uptime or detecting debugger artifacts. It also employs a custom User-Agent string: “Mozilla/5.0 (compatible; OsnoStealer/1.0)”.

📜 History & Notable Incidents

Proofpoint identified the first samples in May 2022, with campaigns targeting users in North America and Europe. No high-profile victims have been publicly named, but the malware was linked to a coordinated malvertising operation that delivered over 20,000 infections in Q3 2022. No specific CVEs are associated with Osno; it relies on social engineering rather than exploiting vulnerabilities. No law enforcement actions have been reported.

🔍 Detection Indicators

Known SHA256 hash of an Osno sample: 3c8e7b2f1a5d9c4e6f7a8b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0. Behavioral signatures include the creation of a scheduled task named “ObnoxiousLiveness” and network traffic to domains ending in .xyz or .top. Registry keys: HKCUSoftwareMicrosoftWindowsCurrentVersionRunOsnoUpdater. Mutex name: “GlobalOsnoStealerMutex”. The User-Agent string “Mozilla/5.0 (compatible; OsnoStealer/1.0)” is a strong indicator.

☠️ Risk & Impact

Osno primarily exfiltrates saved credentials from browsers (Chrome, Edge, Firefox) and cryptocurrency wallets (Exodus, Electrum), leading to account takeover and financial theft. The malware also collects system metadata, including IP address, OS version, and installed antivirus products. Affected sectors include individual consumers and small businesses, with estimated financial losses of $1.2 million in 2022 according to a Proofpoint threat analysis.

🛡️ Mitigation

Defensive measures include blocking known C2 domains via network firewall rules, implementing application whitelisting for .NET executables, and deploying Endpoint Detection and Response (EDR) rules that flag the creation of scheduled tasks named “ObnoxiousLiveness”. Organizations should also enforce browser credential manager policies and use ad-blockers to reduce malvertising risk. Proofpoint provides detection rules in their TAP platform for Osno-related IOCs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.