Rewterz Threat Alert – Kimsuky APT Group – Active IOCs
January 17, 2022Rewterz Threat Advisory – TP-Link Archer C90 routers and TL-WA1201 wireless access points
January 18, 2022Rewterz Threat Alert – Kimsuky APT Group – Active IOCs
January 17, 2022Rewterz Threat Advisory – TP-Link Archer C90 routers and TL-WA1201 wireless access points
January 18, 2022Severity
High
Analysis Summary
An emergent and effective data-harvesting tool dubbed Oski is proliferating in North America and China, stealing online account credentials, credit card numbers, crypto wallet accounts, and more. The malware is still in its developing phase but packs a punch with its capabilities. Oski C2’s dashboard revealed that Oski’s theft tactics involve extracting credentials using man-in-the-browser (MitB) attacks by hooking the browser processes using DLL injection, It also extracts credentials from the registry, passwords from the browser SQLite database, and stored session cookies of all stripes, including crypto-wallet cookies from Bitcoin Core, Ethereum, Monero, Litecoin, and others.
Impact
- Credential Theft
- Unauthorized Access
Indicators of Compromise
Filename
- 2739_1641880829_4069[.]exe
- cDisplayClass3[.]exe
MD5
- b38f1e54ff466b5407c900aaedab492c
- 52ad2f0ef9710a652fd8d2da68cbd7a3
SHA-256
- fc2b7524cb96be03fbb8fe44f1c03d640ffa628397a7af53690d168ede030771
- 0684e1cc2787745123b0d2454c847a318cb3753f95257648678b336e9ba17d1d
SHA-1
- e297fba4eca0b3c278defd31363d893b386eda90
- ae80882e20443f7ed6be871538a4c6323699fbc2
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.
- Search for IOCs in your environment.