<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Security Alert
Jonathan Crowe
Jul 2017

New "Ovidiy Stealer" Malware Makes Credential Theft Cheap and Easy

Photo by Ibrahim Boran

A new black market tool is making it simple for criminals to add a credential theft component to their cyber attacks. Watch Barkly stop it in action.

Key Details

  • What it is: Ovidiy Stealer is a new lightweight, easy-to-use credential stealer primarily targeting passwords stored in browsers.
  • Cybercrime made simple: While not very advanced, it's being supported with slick UI, including a management panel that makes using the tool and tracking results worrisomely easy.
  • Credential theft commoditized: To help it stand out in a crowded black market, Ovidiy Stealer is being sold for as little as $7 and being promoted with customer testimonials.
  • Barkly blocks Ovidiy Stealer automatically

    Despite each sample arriving on systems crypted to avoid analysis and detection, Barkly blocks this malware before it has any chance to exfiltrate credentials.

     
  • empty
  • empty
  • empty
  • empty

Watch Barkly block Ovidiy Stealer before it can harvest any credentials.

Barkly protects your endpoints from new malware like Ovidiy Stealer automatically.
See how it works

Ovidiy Stealer is lightweight, effective, and quickly gaining traction

A new credential-stealing malware package called Ovidiy Stealer is being actively marketed to entry-level cyber criminals as a low-cost, easy-to-manage hacking tool, complete with a management panel and support.

First spotted in June 2017, adoption of Ovidiy Stealer has already quickly expanded from Russian-speaking countries to other parts of the world, and researchers believe it has the potential to become a significant, widespread threat. 

New versions of the tool are being released regularly, indicating its launch may just be ramping up. The growing number of samples is making detecting the malware with traditional signature-based security difficult, as is the active use of cryptors. 

The good news is Barkly blocks samples of Ovidiy Stealer automatically, before the malware has a chance to steal any passwords.

How Ovidiy Stealer works

Researchers at Proofpoint have indicated Ovidiy Stealer is being distributed via malicious email attachments and links as well as via bundling with other suspect software and tools (ex: "LiteBitcoin").

Once installed on an infected device, Ovidiy Stealer will target a varitety of applications in an attempt to locate and steal stored credentials. 

ovidiy-stealer-targeting-browser-login-data.png

Ovidiy Stealer searches for stored login data for targeted browswers. Source: Proofpoint

Criminals can customize how many applications the malware will target, selecting as few as one of the following:

  • FileZilla
  • Google Chrome
  • Opera browser
  • Kometa browser
  • Amigo browser
  • Torch browser
  • Orbitum browser

Once it's grabbed any stored credentials, it then exfiltrates them, utilizing SSL/TLS for communication with its command and control (C&C) server.  

Credential theft commoditized: Ovidiy Stealer's marketing and support

ovidiy-stealer-homepage.png

Ovidiy Stealer website. Source: Proofpoint

In addition to the malware, itself, the developers behind Ovidiy Stealer have also invested in UI for the tool, perhaps in an attempt to make it stand out in an otherwise crowded and hyper-competitive malware marketplace. 

Prospective customers can buy the credential stealer for as little as $7 USD. Those who visit the Ovidiy Stealer domain are presented with several selling points, including:

  • screen shots of the tool's web panel (which allows attackers to track infected machines)
  • a variety of payment options (including RoboKassa, the Russian equivalent of PayPal)
  • customer testimonials from satisfied criminals

Ovidiy-Stealer-customer-testimonials.png 

Ovidiy Stealer customer testimonials. Bottom review translated: "I only need the stealer for burglary on order. I explain what it is: I accept an order for the hijacking of a certain person's account. After I work with him and install the stealer. That's all, for one order I get 300-500 rubles. Without this project it would be impossible! Thank you!" Source: Proofpoint

This type of marketing and commoditization of malware is has been becoming more and more common for some time now. It's been particularly present in newer ransomware-as-a-service offerings

Seeing this type of approach applied to a tool like Ovidiy Stealer is particularly diquieting, however. That's because it's incredibly easy to imagine criminals not only using the tool on its own, but packaging it together with other malware to create even more dangerous multi-stage attacks.

The keys to your kingdom

Some cyber attacks stop at stealing credentials (there still is a black market for them, after all), but many others use stolen credentials as a means to more damaging ends. 

The most immediate and obvious risk is the use of one user's stolen login to access multiple accounts they may own. Password re-use is extremely common, and attackers have automated ways of easily testing any login info they get against a wide variety of services and accounts to see if they get a match. 

Stolen credentials can also grant attackers additional options and functionality, in some cases elevating their priviledges and enabling lateral movement for spreading infections from one machine to another throughout an organization. 

Last month's NotPetya outbreak is a prime high-profile example. One of the ways the ransomware spread was by stealing credentials on infected devices and using them to abuse legitimate command line tools PsExec and WMIC to infect additional machines on the network. 

Test your security vs. a credential stealer simulation 

Blocking malware designed to steal credentials is a key requirement for your company's endpoint security. To find out if your current security blocks credential stealing behavior, try out our free malware simulation tool, stackhackr.

Test your security

Jonathan Crowe

Jonathan Crowe

Jonathan writes about cybersecurity from a practical point of view. He has a strict whitelisting policy for filtering out jargon and only sharing tips and tools that actually work.

blocks.svg

Close the gaps in your security

See how Barkly’s Runtime Malware Defense blocks malware like Ovidiy Stealer automatically, no clean up or recovery necessary.

Find out how

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.