Ovidiy Stealer a cheap and efficient infostealer offered for sale

A new infostealer malware dubbed Ovidiy Stealer was offered for sale by a Russia-speaking malware developer that goes online with the moniker “TheBottle.”

TheBottle has advertised the malware on various cybercrime forums.

The Ovidiy Stealer was first spotted in June 2017, according to the experts at security firm Proofpoint the malware is under development and is gaining popularity in the cyber criminal underground.

“Proofpoint threat researchers recently analyzed Ovidiy Stealer, a previously undocumented credential stealer which appears to be marketed primarily in the Russian-speaking regions. It is under constant development, with several updated versions appearing since the original samples were observed in June 2017. The growing number of samples demonstrate that criminals are actively adopting this malware.” states the analysis published by Proofpoint.

The infostealer is offered for sale on a Russian website for 450-750 Rubles ($7-$13), according to the malware researchers, the low price is because the malware isn’t so efficient as other malicious codes available on the market.

Malware experts at Proofpoint discovered the Ovidiy Stealer is currently being spread via email as executable attachments, compressed executable attachments, and links to an executable download.

“It is also likely spread via file hosting / cracking / keygen sites, where it poses as other software or tools. In several cases, we observed the Ovidiy Stealer bundled with a “LiteBitcoin” installer, further validating this claim.” continues the analysis.

The experts claim the Ovidiy Stealer is not complex, it doesn’t obtain boot persistence and currently implements only a few features.

It can collect and steal information from many popular applications, including:

• FileZilla
• Google Chrome
• Kometa browser
• Amigo browser
• Torch browser
• Orbitum browser
• Opera browser

Once the malware has siphoned the information from the victims it sends it back to a control panel that is used by all the subscribers to access them. The panel is published on the same server that hosts the website, at ovidiystealer.ru, an operation choice that shows the lack of experience of the author.

Another TheBottle’s mistake is the use of RoboKassa for payments, it is a PayPal-like money processor based in Russia that does not ensure users’ anonymity.

“Ovidiy Stealer is a new password stealer that entered the criminal ranks barely one month ago. While it is not the most advanced stealer we have seen, marketing and an entry-level price scheme make it attractive and accessible to many would-be criminals. Ovidiy Stealer is lightweight and simple enough to work with relative ease, allowing for simple and efficient credential exfiltration.” concluded Proofpoint.”A lightweight, easy-to-use, and effective product coupled with frequent updates and a stable support system give Ovidiy Stealer the potential to become a much more widespread threat. “

[adrotate banner=”9″]

Pierluigi Paganini 

(Security Affairs – infostealer, cyber criminal underground)

[adrotate banner=”13″]