The credentials stealer Ovidiy is sold in individual modules, each one built to target a different application, including FileZilla, Google Chrome, Kometa, Amigo, Torch, Orbitum, and Opera.
The credentials stealer Ovidiy is sold in individual modules, each one built to target a different application, including FileZilla, Google Chrome, Kometa, Amigo, Torch, Orbitum, and Opera.

"Ovidiy," a recently discovered credentials stealing malware that targets primarily browsers, is being marketed primarily to Russian speakers at the very affordable price of approximately $7-$13 (or 450-750 rubles) per individual build.

In a Thursday blog post detailing the malware, Proofpoint said that Ovidiy has been under "constant development" since its researchers first observed it in June. The customizable credentials stealer is sold in individual modules, each one built to target a different application, including FileZilla, Google Chrome, Kometa, Amigo, Torch, Orbitum, and Opera.

"...The fewer the modules selected, the smaller the malware payload size. Buyers can select as few as a single module, for example just Google Chrome,” Proofpoint explains in its blog.

Proofpoint theorized that the malware spreads via email in the form of executable attachments (some compressed) and malicious links, and likely also as fake software or tools offered on various file hosting, cracking, and keygen sites. Such fake tools include game lures, hack tool lures and social networking lures.

Authored by a coder with the alias "TheBottle," Ovidiy is written in .NET and relies on encryption and packing techniques to counter analysis and detection, Proofpoint notes. While its price is certainly agreeable, the malware is not especially sophisticated. For instance, there are no persistence mechanisms, so the malware will not run after a reboot, although it does remain on the machine.

Ovidiy uses SSL/TSL for communication with the C&C server, which is hosted on a Russian domain -- the same domain used to market and sell the credentials stealer. Buyers of this malware also have the convenience of an admin panel that provides helpful statistics on infected machines, among other features.

Proofpoint warned that antivirus solutions that rely solely on heuristic analysis may detect Ovidiy, but their response may be insufficient, consisting of generic alerts and log entries that do not convey the true gravity of the threat to security analysts.

"While it is not the most advanced stealer we have seen, marketing and an entry-level price scheme make it attractive and accessible to many would-be criminals," Proofpoint states in the blog post. "Ovidiy Stealer is lightweight and simple enough to work with relative ease, allowing for simple and efficient credential exfiltration. A lightweight, easy-to-use, and effective product coupled with frequent updates and a stable support system give Ovidiy Stealer the potential to become a much more widespread threat."