Threat Management, Malware

Bargain-basement credentials stealing malware picks on browsers

"Ovidiy," a recently discovered credentials stealing malware that targets primarily browsers, is being marketed primarily to Russian speakers at the very affordable price of approximately $7-$13 (or 450-750 rubles) per individual build.

In a Thursday blog post detailing the malware, Proofpoint said that Ovidiy has been under "constant development" since its researchers first observed it in June. The customizable credentials stealer is sold in individual modules, each one built to target a different application, including FileZilla, Google Chrome, Kometa, Amigo, Torch, Orbitum, and Opera.

"...The fewer the modules selected, the smaller the malware payload size. Buyers can select as few as a single module, for example just Google Chrome,” Proofpoint explains in its blog.

Proofpoint theorized that the malware spreads via email in the form of executable attachments (some compressed) and malicious links, and likely also as fake software or tools offered on various file hosting, cracking, and keygen sites. Such fake tools include game lures, hack tool lures and social networking lures.

Authored by a coder with the alias "TheBottle," Ovidiy is written in .NET and relies on encryption and packing techniques to counter analysis and detection, Proofpoint notes. While its price is certainly agreeable, the malware is not especially sophisticated. For instance, there are no persistence mechanisms, so the malware will not run after a reboot, although it does remain on the machine.

Ovidiy uses SSL/TSL for communication with the C&C server, which is hosted on a Russian domain -- the same domain used to market and sell the credentials stealer. Buyers of this malware also have the convenience of an admin panel that provides helpful statistics on infected machines, among other features.

Proofpoint warned that antivirus solutions that rely solely on heuristic analysis may detect Ovidiy, but their response may be insufficient, consisting of generic alerts and log entries that do not convey the true gravity of the threat to security analysts.

"While it is not the most advanced stealer we have seen, marketing and an entry-level price scheme make it attractive and accessible to many would-be criminals," Proofpoint states in the blog post. "Ovidiy Stealer is lightweight and simple enough to work with relative ease, allowing for simple and efficient credential exfiltration. A lightweight, easy-to-use, and effective product coupled with frequent updates and a stable support system give Ovidiy Stealer the potential to become a much more widespread threat."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.