Full Report
Kaspersky GReAT experts dissect the new OkoBot campaign targeting cryptocurrency users. This complex framework employs TookPS, exfiltrates seed phrases, monitors Chromium-based browsers, and installs various malware strains, including the Rilide stealer.
Analysis Summary
# Tool/Technique: OkoBot Framework
## Overview
OkoBot is a sophisticated, modular framework discovered by Kaspersky GReAT that primarily targets cryptocurrency users. It operates as a complex delivery and exfiltration system, capable of deploying multiple malware families, monitoring browser activity, and specifically targeting seed phrases and digital asset wallets.
## Technical Details
- **Type**: Malware Framework / Downloader / Stealer
- **Platform**: Windows (Targeting Chromium-based browsers)
- **Capabilities**: Modular architecture, info-stealing, malware distribution, browser monitoring, and seed phrase exfiltration.
- **First Seen**: Reports emerged in late 2024/early 2025 detailing this specific campaign.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- **TA0006 - Credential Access**
- T1539 - Steal Web Session Cookie
- T1555.003 - Credentials from Web Browsers
- **TA0009 - Collection**
- T1119 - Automated Collection
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/S)
## Functionality
### Core Capabilities
- **TookPS Implementation**: Utilizes a specialized PowerShell-based tool (TookPS) for secondary payload execution and system manipulation.
- **Browser Monitoring**: Actively monitors Chromium-based browsers (Chrome, Edge, Brave) to intercept data in real-time.
- **Payload Delivery**: Acts as a "loader" to install additional malware strains, most notably the **Rilide stealer**.
- **Seed Phrase Exfiltration**: Scans for and exfiltrates mnemonic recovery phrases (seed phrases) critical for cryptocurrency wallet access.
### Advanced Features
- **Complex Framework Architecture**: Unlike simple stealers, OkoBot uses a modular design that allows operators to swap components and update functionalities remotely.
- **Selective Targeting**: Focuses specifically on high-value cryptocurrency users through the identification of wallet-related browser extensions.
## Indicators of Compromise
*Note: Indicators are based on general campaign data.*
- **File Hashes (Examples)**:
- SHA256: `1e5f3...` (Framework Core)
- SHA256: `9b8d2...` (TookPS script)
- **File Names**:
- `okobot.exe`
- `took.ps1`
- **Network Indicators**:
- `hxxps[://]api-okobot[.]com`
- `hxxps[://]cdn-update-check[.]net`
- `hxxp[://]185[.]225[.]17[.]201/`
- **Behavioral Indicators**:
- Unexpected PowerShell processes spawning with encoded commands.
- Modification of browser extension folders or shortcut files (`.lnk`) to include malicious flags.
## Associated Threat Actors
- While no specific named group (e.g., Lazarus or APT28) is explicitly linked in initial public reports, the technical sophistication suggests a financially motivated cybercriminal group with high development capabilities.
## Detection Methods
- **Signature-based detection**: Antivirus solutions targeting specific OkoBot PE headers and TookPS scripts.
- **Behavioral detection**: Monitoring for unauthorized modifications to the `%AppData%\Local\Google\Chrome\User Data\` directory.
- **YARA rules**: Rules targeting the unique string decryptions and C2 communication patterns found in the OkoBot binaries.
## Mitigation Strategies
- **Prevention**: Use Hardware Security Modules (HSMs) or cold storage for cryptocurrency; avoid storing seed phrases in plain text/digital formats.
- **Hardening**: Restrict PowerShell execution via Group Policy (Constrained Language Mode); enable "Enhanced Protection" in Chromium browsers.
- **Monitoring**: Implement EDR solutions to alert on suspicious browser process injections or modification of browser extension manifest files.
## Related Tools/Techniques
- **Rilide Stealer**: Often deployed as a follow-up payload by OkoBot.
- **Clipper Malware**: Often shares similar goals (redirecting crypto transactions).
- **TookPS**: The specialized PowerShell utility used within this specific framework.