- Table of contents
Agent Tesla Delivers Oski Stealer
Cyberint Research observed a number of unsolicited malicious email (malspam) campaigns throughout July 2021 in which Agent Tesla has been used to deliver ‘Oski Stealer’ to a variety of targets worldwide.
First observed around November 2019, Oski Stealer is a popular threat, used to gather credentials and/or financial data from victims, and is readily available to purchase on various cybercriminal forums, typically advertised by a threat actor known as ‘oski_seller’, for around US$70-100 (Figure 1).
Figure 1 - Oski Stealer Advertisement
In addition to being actively sold and supported by the original creator, unverified forum posts suggest that a ‘cracked’ version of Oski Stealer was leaked toward the end of 2020 (Figure 2) that, if true, could potentially lead to broader adoption.
Figure 2 - Potential 'cracked' version of Oski Stealer leaked
Although stealer threats are often indiscriminate and target individuals rather than businesses, recently observed campaigns appear to specifically target various organizations, potentially as a precursor to some other attack through the collection of credentials for later abuse.
Notably, analysis of this specific campaign identifies a pattern of activity targeting the manufacturing industries, especially those located in Asia, although the ‘end objective’ of the threat actor cannot be fully ascertained at this time.
As is common with threats of this nature, the initial delivery method is the delivery of email lures masquerading as legitimate business communications that encourage the recipient to open an attachment.
Based on an analysis of this recent campaign, observed lure themes (Figure 3) include content relating to urgent or pressing matters such as ‘new orders’, ‘payments’ and ‘quotations’, as well as the apparent reuse of prior legitimate email threads that include contact details for, and mimic, some unwitting third-party.
Figure 3 - Example email lure
Given the nature of the email lure, recipients targeted will likely include those working within Business Administration, Finance and Sales teams. Furthermore, the compromise of one organization could lead to legitimate email accounts being abused to send convincing lures to other organizations, such as their customers, partners and suppliers.
Macro & VBScript Downloader
Having lured the victim into opening the malicious email attachment, a weaponized Microsoft PowerPoint (PPT) file in this case, albeit easily interchangeable for some other Microsoft Office file, the victim is prompted to ‘Enable Editing’ and ‘Enable Content’ resulting in an embedded macro (Figure 4) being executed to download and initiate the first stage Powershell script.
Figure 4 - Embedded macro downloader within the PPT file
Whilst lightly obfuscated, this macro creates a Windows Scripting Host Shell Execution object,
wshshell.exec, that executes the Microsoft HTML Application process,
mshta, to send a HTTP GET request to a ‘Bit.ly’ shortened URL (Figure 5).
Figure 5 - Bit.ly shortened URL redirect
Having redirected to a Blogspot-hosted page, the resulting HTML file (Figure 6) contains a Visual Basic script that is used to ultimately download and launch Agent Tesla that, in turn, downloads and launches Oski Stealer.
Figure 6 - VBScript Downloader
HCrypt AMSI Bypass
Using basic obfuscation, the Visual Basic Script downloader launches a hidden PowerShell window (
-w 1), calling the
iwr) cmdlets to download and execute a PowerShell script named
divine.txt from ‘Archive.org’.
The hosting of content on this legitimate service is likely an attempt to avoid detection whilst allowing the delivery method to be updated mid-campaign without the needing to manage infrastructure such as domains and/or VPS instances.
Analysis of this PowerShell script (Figure 7) identifies three encoded strings, the first of which is a base64 encoded Dynamic Link Library (DLL) that is decoded and assigned to the
Figure 7 - PowerShell script 'divine.txt'
Subsequently, this DLL is reflectively loaded as
DECRYPT AES AMSI.dll and contains an
AES_decrypt function that is called to decrypt an AES encrypted string resulting in a base64 encoded DLL being assigned to the
Once decoded, the content of
$element is internally identified as
we.dll and is also reflectively loaded to perform memory patching that will cause an Antimalware Scan Interface (AMSI) bypass.
Analysis of code within this AMSI bypass DLL identifies an
ANGOLA class with a
Main() method that patches the legitimate
amsi.dll process, and the
AmsiScanBuffer method, allowing further malicious code to be executed without being inspected by the Windows AMSI.
Finally, the third encoded string requires all pipe characters, ‘
|‘, to be replaced with an ‘
A‘ to allow yet another DLL to be base64 decoded.
The resulting file, identified as
HBAR.dll, is used to perform ‘process hollowing’ via its own
CMD method within the
HBAR.PING class resulting in the legitimate
aspnet_compiler.exe process launching the
$xtz payload, a byte array leading to final stage of the delivery, ‘Agent Tesla’.
As widely documented, Agent Tesla is a malware-as-a-service offering readily available to threat actors and, in addition to supporting its own stealer capabilities, is often used by other threat actors to delivery their own payloads.
In this instance, the entire process from the malicious email attachment to the delivery of Agent Tesla may have been purchased as-a-service by the threat actor specifically targeting this industry and region, culminating in the delivery of Oski Stealer.
Notably within the VBScript Downloader, as seen in Figure 6, additional steps are taken for persistence and/or the delivery of additional payloads.
The first of which, seemingly a persistence method, is a Windows Registry value ironically named
notvirus is added to
HKEY_CURRENT_USERSSOFTWAREMicrosoftWindowsRun (Figure 8), using the Windows Management Interface (WMI)
StdRegProv class and
SetStringValue method, thus ensuring that the PowerShell command is executed whenever the user logs on.
Figure 8 - Windows Registry persistence
This is followed by the creation of a scheduled task, and three additional Windows Registry values, allow of which appear to load malicious code from various Blogspot URLs using the Microsoft HTML Application process (
- Utilizing the Windows Task Scheduler, a new task named
WIND0WSUPLATEis configured to launch
MSHTA, along with the Blogspot URL, every eighty minutes.
- Three Windows Registry values named
backpup[sic] are added to
HKEY_CURRENT_USERSSOFTWAREMicrosoftWindowsRun, again using WMI, to launch
MSHTAat logon along with differing Blogspot URLs.
Whilst no additional malicious code was observed at the time of analysis, these could easily be updated during a campaign to deliver additional nefarious content to victims as well as acting as a failover mechanism should any of the previous Blogspot URLs be taken offline.
Obviously focused on the theft of credentials from common applications, browsers and credentials stores as well as the acquisition of potentially sensitive and valuable data from a victim machine, be they cryptocurrency wallets or other files, Oski Stealer’s approach is somewhat similar to most other stealer threats.
Additionally, Oski Stealer can be used as a ‘loader’ to download and execute additional payloads from its command and control (C2) infrastructure and, notably, will terminate and delete itself upon the conclusion of its task.
Upon execution, Oski Stealer will attempt to acquire its dependencies from the C2 server via a series of HTTP POST requests for seemingly innocuous JPEG images (Figure 9).
Figure 9 - Example dependency HTTP POST request
Whilst the content requested from the server is identified as
Content-Type: image/jpeg, the files are in fact legitimate third-party Dynamic Links Libraries (DLL) used to support access to data of various applications and/or browsers:
softokn3.dll– Network Security Services and supporting libraries used by Mozilla products such as Firefox and Thunderbird
vcruntime140.dll– Microsoft Visual C++ redistributable for Visual Studio 2015
sqlite3.dll– Enables SQLite related operations, allowing sensitive databases used by browsers and/or email clients, including cookie and credential stores, to be accessed
The resulting files are downloaded to a working directory within
%PROGRAMDATA% which is created using a random fifteen-digit name.
Prior to the exfiltration of any stolen data, Oski Stealer also communicates with its C2 infrastructure via a HTTP POST request to
/main.php (Figure 10), to determine if any additional payload(s) should be downloaded and executed as well as gathering details of any additional file types and/or paths for theft other than the default.
Figure 10 - Example call home HTTP POST request
Utilizing the same working directory as the dependency download phase, that being a random fifteen-digit directory in
%PROGRAMDATA%, Oski Stealer stores all acquired data in preparation for data exfiltration (Figure 11) including credentials from a variety of chat, email, FTP and web-browsing applications as well as cryptocurrency wallets, a desktop screenshot and details of the system configuration.
Figure 11 - Example working directory
Upon the completion of the data theft stage, Oski Stealer creates a compressed Zip archive containing all of this stolen data, and names this with an underscore followed by the first ten digits of the working directory name, for example:
Subsequently, Oski Stealer exfiltrates this data to its C2 server via a HTTP POST request (Figure 12) including the created Zip archive.
Figure 12 - Example exfiltration HTTP POST
Upon the completion of all tasks, Oski Stealer attempts to cover its tracks by both killing its own process, using
taskkill, as well as deleting its own executable and the working directory:
"C:WindowsSystem32cmd.exe" /c taskkill /pid <PID> &
erase %APPDATA%Temp<FILENAME>.exe &
RD /S /Q C:\ProgramData\<WORKING_DIRECTORY>\* &
Note, the values for
<FILENAME> and the
<WORKING_DIRECTORY> will differ from infection to infection.
- Employee security awareness training remains an important step in helping them identify and be suspicious of unsolicited emails and phishing campaigns, especially messages with embedded links or file attachments.
- Disable administrative tools and script interpreters, such as PowerShell, to prevent their misuse by malicious payloads.
- Use Group Policy to disable macros from running in Microsoft Office applications (legitimate macros should be digitally signed to allow for an exception to the disable rule),
- Educate users on the common TTP used and reinforce the message that documents encouraging them to ‘Enable Editing’, ‘Enable Content’ or disable any other security setting are almost certainly malicious.
- Multi-factor authentication should be implemented wherever possible to limit the effectiveness of stolen credentials.
- Employees should be reminded of the risks associated with credential reuse and weak passwords supported by password policies to encourage best practice.
- Limit user permissions according to the principal of least privilege (POLP).
- Ensure that email security controls are applied to limit the delivery of potentially malicious attachments or links to end-users, as well as implementing protocols and security controls such as DKIM, DMARC and SPF.
- Continuous monitoring of unusual endpoint behaviors such as excessive requests to specific webhosts using unusual user-agent strings, can provide an early indication of compromise.
- Consider applying deep content inspection to ensure that any downloaded content filetype matches the actual file content in addition to blocking dangerous filetypes, such as executables, for standard users.
Indicators of Compromise
File Samples (SHA256)
The following hashes are provided for reference, given the ongoing nature of these campaigns, it is likely that the threat actor will utilize methods to avoid detection such as packing and crypting resulting in differing cryptographic hashes.
- AES Decryption –
DECRYPT AES AMSI.dll
- AMSI Bypass –
- Process Hollowing –
- Agent Tesla
- Oski Stealer
HTTP POST Headers
The following HTTP headers were observed during command and control (C2) communications and may be unusual or anomalous in some environments:
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
The following URLs have been observed as used during the initial downloader phases:
Given the identification of additional malicious scripts hosted on Archive.org, the following regular expression could be used to detect potentially malicious content:
Additionally, multiple resources hosted on the Oski Stealer C2 URL have been observed with the directory structure potentially changing between campaigns:
The creation of unexpected directories and files within
%PROGRAMDATA% could be indicative of compromise, especially the creation of a fifteen-digit directory and exfiltration Zip archive, as such, the following regular expression matches the directory structure and corresponding archive filename:
Additionally, the following files are consistently generated by Oski Stealer