Skip to content
Tech News
← Back to articles

New OkoBot framework deploys 20 payloads to steal data, crypto

read original more articles
Why This Matters

The emergence of the OkoBot framework highlights the increasing sophistication of cybercriminals targeting cryptocurrency assets and sensitive data. Its multi-stage attack approach and ability to stealthily steal wallet seed phrases and credentials pose significant risks to consumers and the industry alike, emphasizing the need for enhanced cybersecurity awareness and defenses.

Key Takeaways

A new malicious framework called OkoBot is delivering more than 20 payloads in attacks focused on stealing cryptocurrency wallet seed phrases, credentials, and other sensitive data.

OkoBot reaches victims through ClickFix attacks or malicious GitHub repositories pretending to host legitimate software tools.

In one case, a repository claimed to offer SQL Server Management Studio (SSMS) but dropped a trojanized version of the Audacity audio editing tool.

Researchers at cybersecurity company Kaspersky say that the OkoBot campaign has been ongoing for more than a year and evolved from the activity that delivered the malicious PowerShell script TookPS.

However, the infection chain has been completely changed, with multiple attack stages and TookPS being used in the first phase to install and configure an SSH bot that delivered the other malicious components.

The OkoBot infection chain

Source: Kaspersky

The SSH bot is also responsible for collecting system details (username, antivirus software, IP address, OS version) and disabling Windows Defender notifications. It also harvests cryptocurrency wallet files, browser cookies, and account credentials.

Among the 20 modules OkoBot uses in these attacks, the most notable are:

ext daemon/extl.exe : Injects into Chrome browsers to silently install and hide malicious extensions like Rilide, which targets credentials, cookies, financial information, and cryptocurrency-related data.

... continue reading