{"id":6840,"date":"2021-08-10T13:25:33","date_gmt":"2021-08-10T20:25:33","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6840"},"modified":"2024-08-07T12:20:36","modified_gmt":"2024-08-07T19:20:36","slug":"swift-payment-themed-malspam-delivers-oski-stealer","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/","title":{"rendered":"Swift Payment-Themed Malspam Delivers Oski Stealer"},"content":{"rendered":"<h3><strong>Author: Yadu Nadh<\/strong><\/h3>\n<p>&nbsp;<\/p>\n<h3>Overview<\/h3>\n<p>On 3 August, Infoblox observed a malicious malspam campaign distributing Oski Stealer, which is best known as a credential stealer, although it also has other capabilities. According to Cisco Talos, Oski Stealer shares code (thus traits) with Vidar and Arkei Stealer.<\/p>\n<h3>Customer Impact<\/h3>\n<p>The malware, which can be purchased from underground forums for $70\u2013$100,2 targets businesses and individuals in the U.S. and China3 but has not infected machines in the Commonwealth of Independent States (CIS).<\/p>\n<p>Oski Stealer has been distributed via emails that contain a variety of lures and phishing themes, and it comes with an array of features, such as those that allow a threat actor to take screenshots and steal the following from an infected machine:<\/p>\n<ul>\n<li>login credentials from applications<\/li>\n<li>cookies, autofill data, credit cards, and other information stored by web browsers<\/li>\n<li>cryptocurrency wallets<\/li>\n<li>system information<\/li>\n<\/ul>\n<p>Oski Stealer can also function as a downloader and can execute other malware. It can evade anti-malware products and make itself hard to detect by obfuscating (1) the strings it used to store the function names and (2) the paths it embedded in the binary and decrypted during runtime.<\/p>\n<h3>Campaign Analysis<\/h3>\n<p>This malspam campaign uses a Swift payment theme to lure victims. The email has the subject \u56de\u590d: Payments, an empty body, and an attachment that is a Microsoft RTF file swift_message_723-18-22-78_2-8-2021.doc.<\/p>\n<h3>Attack Chain<\/h3>\n<p>Once opened, the RTF file executes an embedded Windows PowerShell script that contains the instruction powershell.exe&#8221; -NoP -sta -NonI -W Hidden&#8230;, which silently (1) downloads a .NET binary and (2) executes it.<\/p>\n<p>Oski Stealer then contacts a remote server, downloads seven clean dynamic link libraries (DLLs), and stores them together in C:\\ProgramData. It creates C:\\ProgramData\\755173102468318 to store all the information it steals.<\/p>\n<p>After capturing and storing the victim\u2019s information, Oski Stealer compresses the stolen data into a ZIP file, exfiltrates it to its server, and deletes the stolen information from the victim&#8217;s machine by running cmd.exe&#8221; \/c taskkill \/pid 3860 &amp; erase C:\\Users\\admin\\AppData\\Roaming\\texts.exe &amp; RD \/S \/Q C:\\\\ProgramData\\\\755173102468318\\\\* &amp; exit.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-6844\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/swift-payment-themed-malspam-delivers-oski-stealer-v1.png\" alt=\"\" width=\"872\" height=\"1178\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/swift-payment-themed-malspam-delivers-oski-stealer-v1.png 872w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/swift-payment-themed-malspam-delivers-oski-stealer-v1-222x300.png 222w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/swift-payment-themed-malspam-delivers-oski-stealer-v1-758x1024.png 758w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/swift-payment-themed-malspam-delivers-oski-stealer-v1-768x1038.png 768w\" sizes=\"auto, (max-width: 872px) 100vw, 872px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h3>Vulnerabilities &amp; Mitigation<\/h3>\n<p>Malspam email campaigns are a common distribution method for malware. Infoblox recommends that users take the following precautions to reduce the possibility of an infection:<\/p>\n<ul>\n<li>Always be suspicious of emails that contain documents and links, especially emails that contain delivery instructions or text about financial topics.<\/li>\n<li>Avoid opening emails with generic subject lines.<\/li>\n<li>Many malware families use macros as part of the attack chain. Do not enable macros in Microsoft Office attachments, especially macros whose only apparent contents are directions for enabling the macros. Never configure Microsoft Office to enable macros by default.<\/li>\n<li>Before opening an attachment that seems to have come from a legitimate source, check whether the alleged source really sent that email.<\/li>\n<\/ul>\n<h3><strong>Endnotes<\/strong><\/h3>\n<ol>\n<li><a href=\"https:\/\/blog.talosintelligence.com\/2020\/09\/threat-roundup-0911-0918.html\">https:\/\/blog.talosintelligence.com\/2020\/09\/threat-roundup-0911-0918.html<\/a><\/li>\n<li><a href=\"https:\/\/www.cyberark.com\/resources\/threat-research-blog\/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\">https:\/\/www.cyberark.com\/resources\/threat-research-blog\/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer<\/a><\/li>\n<li><a href=\"https:\/\/threatpost.com\/oski-data-stealing-malware-north-america-china\/151856\/\">https:\/\/threatpost.com\/oski-data-stealing-malware-north-america-china\/151856\/<\/a><\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Author: Yadu Nadh &nbsp; Overview On 3 August, Infoblox observed a malicious malspam campaign distributing Oski Stealer, which is best known as a credential stealer, although it also has other capabilities. According to Cisco Talos, Oski Stealer shares code (thus traits) with Vidar and Arkei Stealer. Customer Impact The malware, which can be purchased from [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6841,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[553],"tags":[236,488,294,40,189],"class_list":{"0":"post-6840","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-campaign-briefs","8":"tag-cyberthreat","9":"tag-cyberthreat-intelligence-report","10":"tag-malspam","11":"tag-threat-intelligence","12":"tag-cybersecurity","13":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Swift Payment-Themed Malspam Delivers Oski Stealer | Infoblox<\/title>\n<meta name=\"description\" content=\"On 3 August, Infoblox observed a malicious malspam campaign distributing Oski Stealer, which is best known as a credential stealer, although it also has other capabilities. According to Cisco Talos, Oski Stealer shares code (thus traits) with Vidar and Arkei Stealer.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Swift Payment-Themed Malspam Delivers Oski Stealer\" \/>\n<meta property=\"og:description\" content=\"On 3 August, Infoblox observed a malicious malspam campaign distributing Oski Stealer, which is best known as a credential stealer, although it also has other capabilities. According to Cisco Talos, Oski Stealer shares code (thus traits) with Vidar and Arkei Stealer.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-10T20:25:33+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-08-07T19:20:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/swift-payment-themed-malspam-delivers-oski-stealer.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"408\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/swift-payment-themed-malspam-delivers-oski-stealer\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/swift-payment-themed-malspam-delivers-oski-stealer\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Swift Payment-Themed Malspam Delivers Oski Stealer\",\"datePublished\":\"2021-08-10T20:25:33+00:00\",\"dateModified\":\"2024-08-07T19:20:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/swift-payment-themed-malspam-delivers-oski-stealer\\\/\"},\"wordCount\":496,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/swift-payment-themed-malspam-delivers-oski-stealer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/swift-payment-themed-malspam-delivers-oski-stealer.jpg\",\"keywords\":[\"Cyberthreat\",\"Cyberthreat intelligence report\",\"Malspam\",\"Threat Intelligence\",\"Cybersecurity\"],\"articleSection\":[\"Cyber Campaign Briefs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/swift-payment-themed-malspam-delivers-oski-stealer\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/swift-payment-themed-malspam-delivers-oski-stealer\\\/\",\"name\":\"Swift Payment-Themed Malspam Delivers Oski Stealer | Infoblox\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/swift-payment-themed-malspam-delivers-oski-stealer\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/swift-payment-themed-malspam-delivers-oski-stealer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/swift-payment-themed-malspam-delivers-oski-stealer.jpg\",\"datePublished\":\"2021-08-10T20:25:33+00:00\",\"dateModified\":\"2024-08-07T19:20:36+00:00\",\"description\":\"On 3 August, Infoblox observed a malicious malspam campaign distributing Oski Stealer, which is best known as a credential stealer, although it also has other capabilities. According to Cisco Talos, Oski Stealer shares code (thus traits) with Vidar and Arkei Stealer.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/swift-payment-themed-malspam-delivers-oski-stealer\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/swift-payment-themed-malspam-delivers-oski-stealer\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/swift-payment-themed-malspam-delivers-oski-stealer\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/swift-payment-themed-malspam-delivers-oski-stealer.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/swift-payment-themed-malspam-delivers-oski-stealer.jpg\",\"width\":612,\"height\":408,\"caption\":\"White graphic symbol of a lock on binary computer display - computer data protection. Internet Business Cyber security system concept\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/swift-payment-themed-malspam-delivers-oski-stealer\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Campaign Briefs\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Swift Payment-Themed Malspam Delivers Oski Stealer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Swift Payment-Themed Malspam Delivers Oski Stealer | Infoblox","description":"On 3 August, Infoblox observed a malicious malspam campaign distributing Oski Stealer, which is best known as a credential stealer, although it also has other capabilities. According to Cisco Talos, Oski Stealer shares code (thus traits) with Vidar and Arkei Stealer.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/","og_locale":"en_US","og_type":"article","og_title":"Swift Payment-Themed Malspam Delivers Oski Stealer","og_description":"On 3 August, Infoblox observed a malicious malspam campaign distributing Oski Stealer, which is best known as a credential stealer, although it also has other capabilities. According to Cisco Talos, Oski Stealer shares code (thus traits) with Vidar and Arkei Stealer.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/","og_site_name":"Infoblox Blog","article_published_time":"2021-08-10T20:25:33+00:00","article_modified_time":"2024-08-07T19:20:36+00:00","og_image":[{"width":612,"height":408,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/swift-payment-themed-malspam-delivers-oski-stealer.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Swift Payment-Themed Malspam Delivers Oski Stealer","datePublished":"2021-08-10T20:25:33+00:00","dateModified":"2024-08-07T19:20:36+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/"},"wordCount":496,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/swift-payment-themed-malspam-delivers-oski-stealer.jpg","keywords":["Cyberthreat","Cyberthreat intelligence report","Malspam","Threat Intelligence","Cybersecurity"],"articleSection":["Cyber Campaign Briefs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/","name":"Swift Payment-Themed Malspam Delivers Oski Stealer | Infoblox","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/swift-payment-themed-malspam-delivers-oski-stealer.jpg","datePublished":"2021-08-10T20:25:33+00:00","dateModified":"2024-08-07T19:20:36+00:00","description":"On 3 August, Infoblox observed a malicious malspam campaign distributing Oski Stealer, which is best known as a credential stealer, although it also has other capabilities. According to Cisco Talos, Oski Stealer shares code (thus traits) with Vidar and Arkei Stealer.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/swift-payment-themed-malspam-delivers-oski-stealer.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/swift-payment-themed-malspam-delivers-oski-stealer.jpg","width":612,"height":408,"caption":"White graphic symbol of a lock on binary computer display - computer data protection. Internet Business Cyber security system concept"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-payment-themed-malspam-delivers-oski-stealer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Campaign Briefs","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-campaign-briefs\/"},{"@type":"ListItem","position":4,"name":"Swift Payment-Themed Malspam Delivers Oski Stealer"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6840"}],"version-history":[{"count":4,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6840\/revisions"}],"predecessor-version":[{"id":6846,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6840\/revisions\/6846"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6841"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}