Cybercrime Credential Stealing as an Attack Vector


Staff member
Malware Hunter
Jul 27, 2015
Article from 2016 by Bruce Schneier, but still very current and up to date 2021 as I personal stumble regularly over samples that either combine the attack vector of credential stealing, or actual seems to do that solely. I'll include the referred video ( also from 2016 ) with a talk from Rob Joyce, Chief, Tailored Access Operations, National Security Agency ( NSA ), that either one like them or not, know what they are talking about. Last link included, is a deep analysis on a very pesky/nasty credential stealing malware called Oski Stealer, that started to emerge in the news beginning of 2020. It also recently been tested in the Hub here on MT.

Quote : " Traditional computer security concerns itself with vulnerabilities. We employ antivirus software to detect malware that exploits vulnerabilities. We have automatic patching systems to fix vulnerabilities. We debate whether the FBI should be permitted to introduce vulnerabilities in our software so it can get access to systems with a warrant. This is all important, but what’s missing is a recognition that software vulnerabilities aren’t the most common attack vector: credential stealing is.

The most common way hackers of all stripes, from criminals to hacktivists to foreign governments, break into networks is by stealing and using a valid credential. Basically, they steal passwords, set up man-in-the-middle attacks to piggy-back on legitimate logins, or engage in cleverer attacks to masquerade as authorized users. It’s a more effective avenue of attack in many ways: it doesn’t involve finding a zero-day or unpatched vulnerability, there’s less chance of discovery, and it gives the attacker more flexibility in technique. Rob Joyce, the head of the NSA’s Tailored Access Operations (TAO) group — basically the country’s chief hacker — gave a rare public talk at a conference in January. In essence, he said that zero-day vulnerabilities are overrated, and credential stealing is how he gets into networks: “A lot of people think that nation states are running their operations on zero days, but it’s not that common. For big corporate networks, persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive.”

This is true for us, and it’s also true for those attacking us. It’s how the Chinese hackers breached the Office of Personnel Management in 2015. The 2014 criminal attack against Target Corporation started when hackers stole the login credentials of the company’s HVAC vendor. Iranian hackers stole US login credentials. And the hacktivist that broke into the cyber-arms manufacturer Hacking Team and published pretty much every proprietary document from that company used stolen credentials. "

Full source:

Oski steals confidential and sensitive data from ~60 different applications, including browsers, email clients, and crypto wallets. Among its stealing features, it can also function as a Grabber and Loader. Before stealing credentials from different applications, Oski sets up its “working environment.” However, in order to steal data by different methods from different applications, Oski has to download serval DLLs.
Oski also steals wallets and confidential files that are related to crypto wallet applications.
Oski also has a recursive grabber that collects particular files from the victim’s computer. The module is configurable, allowing the attacker to decide whether to enable this module and if so, which files to collect from the user.