Computer Security Ovidiy Stealer is Cheap Malware for Hackers Looking to...

Ovidiy Stealer is Cheap Malware for Hackers Looking to Steal Login Credentials

ovidiy stealer credentials cheap hacker purchaseWhat can you do if you have about $7 to spend? You can purchase a useful apple slicer. Alternatively, you can treat yourself to some novelty toilet paper (if you think that 'novelty' toilet paper is or should be a thing, that is). But what if you want to be a super cool black hat hacker, but you lack the technical skills and have no more than $7 to spend? Well, you're in luck because the Ovidiy credential stealer is sold on a Russian website for between 450 and 750 Russian Rubles (around $7.60 to $12.70 at the current rates).

Unfortunately, malware being sold to hackers for only $7 is not a joke. The malware really is sold for peanuts, and as Proofpoint's research shows, it can really steal usernames and passwords.

The "you get what you pay for" theorem suggests that Ovidiy shouldn't be the most sophisticated malware family around, and indeed, it isn't. The malware is written in .NET, and although most of the samples are packed with .NET Reactor or Confuser, a significant number of the more popular security products have no problems detecting it.

The experts noted that the payloads are mostly distributed in executable format, and they arrive either as attachments or as links inside spam emails. Sometimes, the stealer is disguised as cracking tools that let people use paid software for free, and in other cases, it pretends to be a LiteBitcoin wallet. Proofpoint's researchers have also seen it bundled with other malware.

There's nothing too advanced about the distribution methods, and the same can be said about the malware's functionality. There aren't even any persistence mechanisms which means that after a reboot, Ovidiy won't run unless the victim manually launches it. The amount of information that can be stolen is somewhat limited as well.

List of programs that Ovidiy checks and steals login credentials:

  • Amigo browser
  • FileZilla
  • Google Chrome
  • Kometa browser
  • Opera
  • Orbitum browser
  • Torch browser

As you can see, Internet Explorer, Edge, and Firefox, three of the most popular browsers in the world, are absent from the list for some reason. That said, if you happen to use one of the programs on the list above, and a lot of people do, you can have your login credentials compromised.

Despite its rock bottom pricing, Ovidiy does provide the would-be cybercriminals with some handy options. The crooks can, for example, decide that they want to collect usernames and passwords from Chrome only and disable the modules for the rest of the programs. This decreases the payload size and makes it harder to spot.

There are other surprises. The malware's authors decided to market their password stealer through a website called ovidiystealer[.]ru, and it must be said that the whole thing looks rather professional. There are testimonials and information on the upcoming updates, and once people buy the malware, they can get support as well as statistics from a well-designed panel. Payments are processed through RoboKassa, the Russian equivalent of PayPal, which means that the headache-inducing task of buying Bitcoins is bypassed. All in all, the authors did put some effort into making their clients feel good.

Thankfully, however, at the moment, neither the authors nor their customers feel good. After Proofpoint published their research, the ovidiystealer[.]ru website was taken down. The same domain acts as a Command and Control (C&C) server in the samples Proofpoint analyzed which means that the people who have been deploying it over the last month or so no longer have access to the stolen data.

The operation is halted for now, but there's little to stop the malware's authors from setting up another C&C server/promotional website and selling the malware again. If they decide to ditch the project, it will serve as a good reminder of how easy it is to commit cybercrime in this day and age.

Loading...