Rewterz Threat Alert – Oski Data Stealer Malware

Rewterz Threat Advisory – CVE-2021-1402 – Cisco Firepower Threat Defense Software SSL Decryption Policy DoS Vulnerability

June 9, 2021

Rewterz Threat Advisory – ICS: Siemens Multiple Vulnerabilities

June 9, 2021

Rewterz Threat Alert – Oski Data Stealer Malware – Active IOCs

Severity

High

Analysis Summary

An emergent and effective data-harvesting tool dubbed Oski is proliferating in North America and China, stealing online account credentials, credit card numbers, crypto wallet accounts, and more. The malware is still in its developing phase but packs a punch with its capabilities. Oski C2’s dashboard revealed that Oski’s theft tactics involve extracting credentials using man-in-the-browser (MitB) attacks by hooking the browser processes using DLL injection, It also extracts credentials from the registry, passwords from the browser SQLite database, and stored session cookies of all stripes, including crypto-wallet cookies from Bitcoin Core, Ethereum, Monero, Litecoin, and others.

Impact

Credential theft
Information disclosure

Indicators of Compromise

MD5

bae1820a589c3c2a3d76bb6984e155ef

SHA-256

b7e2b37e97963d45b71ef70bc0d8060336757c0c57c245c4afd87a8f7d7a6b2d
2e5492db36a7d3472205a9b2e0f6915501001fd38580b2fff3d897f5f983c07e
6a90747e994871cb1556c89efbaf0fa6f755fe4392ac1dfd5122d97f44096f8f
7306fb8e6beb55670cbd66849de1bba703d010166361c1c9f1b56314d7f77733
78e1650c6b289088c2224f07d530f85b3a75c9698f60eca795e3f75e2e4f3611
879ffc6d14cd99fdde3f2ff9fac1ad08af7848cb18a68d9b7de72a6eb2824f1b
26742bde0f3465983c03706acf3b37b1583904f1993d2f9036ff636b313f4b04
c17c48163d0b124b07fdda6b15196db8fe8c510d9c8afbb5abf3666bfb109b26
0c7ce125e3003caf1c7913fda7db380e6e0c7810923103dbb271283118900f94
9aca1af01849129298bada27908964ce2be2775ffb38bd578eba794f3a91fac9
9d5813fe8eca2837acc3e2eb1256a7a502a2f2dd037348e573b43c76f85aba83
f64b2a93af7939876cb9af6f7f2d0702fe09a02e5a7968c90fc5ed0fa9915e1f
f64b2a93af7939876cb9af6f7f2d0702fe09a02e5a7968c90fc5ed0fa9915e1f
518c8c977ad18b3a0e462f98e88effba7e357e3eef060f3b85a7afc761907b1d
841c80d880692060d97a7a84fb8b6cbea1472c548714d92d60a821a60c4ae4c4
656fd8e974d530e493fcbe38517f8635611dd4f55403ead65b1e525f3fce7500
304d51352cd5570568501f89ea1831a1b9367a4ab873566795e21888ada20aa2
245f962fa8ec09944b413f41836d81d8fbc961c34f43e3d8f76cc6324eefe11e
27246af1d222060efe273a53a82cd8550629b0826fd7de6a035265090216d719
b07489dfcfc4ec7f3cd9459a76bbaa04506ca3fbbd8b538d6b1c2937737e8101
9861e5db0eacb329364eabe37d837d20ad6e9210cba4641f9e09abca0173cb2e

SHA1

e083da95c8870158a2bdde3a94571904ca514f39

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders