A new malicious framework called OkoBot has been discovered by researchers at Kaspersky. This framework delivers more than 20 payloads in attacks focused on stealing cryptocurrency wallet seed phrases, credentials, and other sensitive data.
According to the researchers, the OkoBot campaign has been ongoing for over a year and evolved from the activity that delivered the malicious PowerShell script TookPS. However, the infection chain has been completely changed, with multiple attack stages and TookPS being used in the first phase to install and configure an SSH bot that delivered the other malicious components.
The SSH bot is responsible for collecting system details, including username, antivirus software, IP address, and OS version, as well as disabling Windows Defender notifications. It also harvests cryptocurrency wallet files, browser cookies, and account credentials.
Among the 20 modules OkoBot uses in these attacks, some of the most notable include:
* ext daemon/extl.exe: Injects into Chrome browsers to silently install and hide malicious extensions like Rilide, which targets credentials, cookies, financial information, and cryptocurrency-related data.
* SeedHunter: Injects into Trezor Suite, Ledger Wallet, and Ledger Live to display a fake seed-recovery screen designed to steal wallet recovery phrases from victims.
* MC Keylogger: Records keystrokes and clipboard activity, including copied text, images, and file paths, and can also monitor for USB connections and take screenshots every 5 minutes.
* OkoSpyware: Monitors 100 programs like cryptocurrency wallets and password managers, and uses FFmpeg to record video of their windows and capture keystrokes.
It’s essential to note that a wallet recovery phrase provides full access to a user’s cryptocurrency assets. If attackers obtain it, they can transfer the funds to wallets they control, with virtually no possibility of recovery.
Kaspersky telemetry shows that the majority of OkoBot’s victims are located in Brazil, followed by Vietnam, Canada, Mexico, and Turkey. However, the campaign’s reach is global.
While Kaspersky does not attribute the OkoBot campaign to any threat actor, the researchers shared that access to the servers hosting the PowerShell scripts for the initial stage of the attack is geoblocked. They noticed that payloads are not delivered when using an IP address from Russia or the Commonwealth of Independent States (CIS) space, and the server returns an empty response.
Additional clues pointing to a Russian-speaking threat actor include Russian comments present in the source code of the SeedHunter module and the use of an infostealer that is actively promoted on invitation-only Russian cybercrime forums.
Kaspersky’s report provides a set of indicators of compromise that includes hashes for the malicious plugins, injector payloads, SSH bot utilities, file paths, domains, and IP addresses.
**Indicators of Compromise:**
* Hashes for malicious plugins, injector payloads, SSH bot utilities, file paths, domains, and IP addresses.
**Recommendations:*
* Keep software up-to-date and use reputable sources for downloads.
* Use antivirus software and enable Windows Defender notifications.
* Monitor system logs for suspicious activity.
* Regularly back up sensitive data.
Source: Original article