Osno Malware Description
The Osno Malware is a complex threat that can perform multiple threatening activities on any computer it infects under the needs of the threat actor. It can harvest data and then exfiltrate it to remote servers while establishing a clipboard hijacker and a coin miner on the compromised device simultaneously. It appears that the main targets of the Osno Malware are computer users who wish to use illicit tools. For example, the threat was observed to be injected into the 'Steam Machine Brute Force Checker,' a hack tool for obtaining Steam Engine passwords by brute-forcing them illicitly. The Trojanized application displays its normal GUI screen to the user while the Osno Malware executes its threatening activity in the background. The weaponized application was packaged into a 'Steam_Machine_Checker.rar' file and was then made available for download from the hxxps[:]//www[.]upload[.]ee/files/12701875/Steam_Machine_Checker[.]rar[.]html website.
A Versatile Malware Threat
Upon being executed on the target's system, the Osno Malware ensures the presence of its coin mining component by creating a persistence mechanism for it. The threat injects a Run entry into the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' registry location that points to the '%AppData%\Roaming\scvhost\scvhostservice.exe.' In turn, the scvhostservice.exe file executes another file dropped by the malware named svchost.exe, which is responsible for conducting coin mining activity for the Litecoin cryptocurrency with the compromised system's resources. It should be noted that the Osno Malware coin miner is based on open-source programs with the same functionality such as DiabloMiner heavily.
While the Osno Malware mines for Litecoin, its clipboard hijacker is focused on intercepting and substituting Bitcoin wallet addresses saved in the clipboard. To obtain the data, the threat abuses Clipboard.GetText( ). Upon detecting that the hash in the current Clipboard begins with '1,' the Osno Malware uses Clipboard.SetText( ) to replace it with It gets the current Clipboard using Clipboard.GetText( ). If the hash in the current Clipboard starts with ‘1’ it replaces it with the wallet address of the hackers (1LrPUuoopchKbfkJYLEwk2YWqBh6ZakTxX). In practice, users may not even realize that the funds they have sent were rerouted to a completely different destination.
The infostealing capabilities of the Osno Malware also are quite potent. The threat can breach and harvest bookmarks and crypto-wallet addresses, track running processes, scan all installed software, etc. The list of cryptocurrency wallets target by the malware includes Bitcoin, Ethereum, Litecoin, Electrum, Exodus, Bytecoin, Zcash, Armory, Dash, Coinomi, Guarda and Atomic. In addition, arbitrary screenshots of the infected system can be captured after the threat downloads the CommandCam.exe application.
The gathered private data can be exfiltrated via telegram using 'sendDocument' of the Telegram Bot API. The current limit of the uploaded files is 50 MB but the size threshold could be modified in future operations.