OkoBot: A New Multi-Payload Framework Targeting Crypto Wallets and Sensitive Data
A sophisticated new malicious framework, dubbed **OkoBot**, is actively deploying over 20 distinct payloads in a widespread campaign to steal cryptocurrency wallet seed phrases, credentials, and other sensitive user data. This evolving threat, which has been active for over a year, leverages social engineering tactics and sophisticated infection chains to compromise victims globally.
A new and highly potent malicious framework named **OkoBot** has emerged, deploying a diverse arsenal of over 20 payloads to compromise systems and exfiltrate sensitive data, with a particular focus on cryptocurrency wallet seed phrases and user credentials.
### Infection Vectors: From ClickFix to Malicious Repositories
**OkoBot** primarily reaches its victims through **ClickFix** attacks or by masquerading as legitimate software on malicious **GitHub** repositories. A notable instance involved a repository falsely claiming to offer **SQL Server Management Studio (SSMS)**, instead delivering a trojanized version of the **Audacity** audio editing tool.
### Evolution of a Threat: From TookPS to OkoBot
Cybersecurity researchers at **Kaspersky** have been tracking the **OkoBot** campaign for over a year, identifying its evolution from activities previously associated with the malicious **PowerShell** script, **TookPS**. The infection chain has undergone significant transformation, now incorporating multiple stages. **TookPS** is utilized in the initial phase to install and configure an **SSH bot**, which then facilitates the delivery of subsequent malicious components.

*Source: Kaspersky*
### The SSH Bot: Reconnaissance and Initial Data Theft
The **SSH bot** plays a crucial role in the initial compromise, collecting vital system details such including usernames, installed antivirus software, **IP** addresses, and operating system versions. It also actively disables **Windows Defender** notifications, harvests cryptocurrency wallet files, browser cookies, and account credentials.
### OkoBot's Diverse Payload Modules
Among the more than 20 modules employed by **OkoBot**, several stand out for their targeted functionalities:
* **ext daemon/extl.exe**: This module injects into **Chrome** browsers to silently install and conceal malicious extensions like **Rilide**, which is known for targeting credentials, cookies, financial information, and cryptocurrency-related data.
* **SeedHunter**: Designed specifically for cryptocurrency users, **SeedHunter** injects into popular wallet interfaces such as **Trezor Suite**, **Ledger Wallet**, and **Ledger Live**. It displays a convincing, but fake, seed-recovery screen to trick victims into revealing their crucial wallet recovery phrases.
* **MC Keylogger**: This module records keystrokes and clipboard activity, capturing copied text, images, and file paths. It can also monitor for **USB** connections and take screenshots at five-minute intervals.
* **OkoSpyware**: This sophisticated spyware monitors over 100 programs, including various cryptocurrency wallets and password managers. It leverages **FFmpeg** to record video of active application windows and simultaneously captures keystrokes.
It's critical for users to understand that a wallet recovery phrase grants complete access to cryptocurrency assets. Once compromised, funds can be transferred to attacker-controlled wallets with virtually no chance of recovery.

*Source: Kaspersky*
### Global Reach with a Geopolitical Twist
**Kaspersky's** telemetry indicates that the majority of **OkoBot** victims are concentrated in Brazil, followed by Vietnam, Canada, Mexico, and Turkey, underscoring the campaign's global reach. While **Kaspersky** has not formally attributed the campaign to a specific threat actor, researchers observed a significant detail: access to the servers hosting the initial **PowerShell** scripts is geoblocked. Payloads are not delivered to **IP** addresses originating from Russia or the Commonwealth of Independent States (**CIS**), with the server returning an empty response.
Further evidence suggesting a Russian-speaking threat actor includes Russian comments found within the source code of the **SeedHunter** module and the use of an infostealer actively promoted on invitation-only Russian cybercrime forums.
**Kaspersky's** comprehensive report provides a detailed set of indicators of compromise (**IoCs**), including hashes for malicious plugins, injector payloads, **SSH bot** utilities, file paths, domains, and **IP** addresses, crucial for security professionals to identify and mitigate this threat.