Researchers at Proofpoint recently discovered a mass-marketed malware called Ovidiy stealer whose main purpose is to steal passwords from victims. It is the first of its kind as it is being sold online at a low price which is between $7 to $13.
A simple yet threatening malware
It is not common to hear malware being sold at such a low price that can be easily accessed by potential criminals who are probably starting their journey as cyber criminals. However, Ovidiy seems to have changed all of that.
According to Proofpoint researchers, the malware is essentially a password stealer that was available on the product’s official website ovidiystealer[.]ru. And like any other consumer product website, it features customer reviews, statistics regarding the sales and efficacy of the product and much more.
The website also mentions strong customer support along with providing updates regarding any future releases of the product. Furthermore, in order to make things easier, the website allows customers to pay using RoboKassa (Russian platform for online money transfer), which is similar to PayPal. Customers can use their credit cards to make payments.
A closer look at the malware
Ovidiy is currently being sold in the Russian market and has a number of versions. Research shows that the malware entered the scene in June last month. As of now, the researchers have detected versions 1.0.1 to 1.0.5.
The malware is written in .NET and the executable files are encrypted making further analysis and investigation difficult. Furthermore, the author of the malware goes by the name of “TheBottle.”
It is being marketed in different modules with each module affecting a specific internet browser. Currently, the browsers which the malware modules affect include Google Chrome, FileZilla, Kometa, Amigo, Torch, Orbitum, and Opera – Customers can buy as little as a single module.
How does it work?
The malware is being distributed as email attachments, downloadable links, software, game applications and as a hacking tool. It is being distributed through websites that offer file hosting and keygens.
Once the attachment or the infected file has been executed, the malware will be stored in the victim’s directory and will perform its commands from the directory. The malware connects to its command-and-control center through SSL/TLS connection and makes use of the same domain as that of the website.
Furthermore, although the malware is detectable by antivirus software, it is, however, marked with only a heuristic detection which means that security analysists may disregard the significance of the malware, despite noting the odd behavior.
It also means that corporate networks may result in sending alerts, but since the malware has not been specifically detected, no action might be taken.
Quite surprisingly though, the researchers state that the malware does not come with a persistence mechanism. Essentially, it will stop working once the computer is rebooted.
Innovation in the malware marketplace
Proofpoint points out the way in which the malware market is innovating, making it ever harder for companies to upgrade their security systems in order to prevent the threats.
Indeed, with the release of Ovidiy, anyone can easily hack into a computer and steal valuable information. With the increase in dark web marketplaces where stolen credentials can be cashed in for immediate profits, the market for such malware looks highly promising to criminals who want a quick return on investment.