Proofpoint has released a blog giving details of malware Ovidiy Stealer. This is a credential stealer that is being actively marketed and under constant development. It was originally detected in June 2017 and there are already several versions in circulation. Proofpoint reports that the product is being targeted at Russian speaking cybercriminals. The cost of a version which includes a precompiled executable is between 450-750 Rubles ($7-$13). The executable is also encrypted to make it very difficult to detect. This makes it around the cheapest Malware as a Service (MaaS) solution in the market.
How effective is Ovidiy Stealer?
That’s an interesting question. Proofpoint says that: “some antivirus solutions are detecting Ovidiy Stealer with generic and heuristic signatures only. With only heuristic detection, it is possible that an AV solution will detect the behavior of Ovidiy Stealer but label it in logs with a generic description and thus SOC analysts monitoring alerts may well see the event but not recognize its significance. Instead, Ovidiy Stealer could be active an organization’s network, throwing alerts but not identified specifically.”
This misidentification is a significant problem. If SOC analysts are not detecting the malware then it will continue to harvest credentials. This makes it a very dangerous piece of malware and something that SOC analysts need to be actively looking for. To help analysts, Proofpoint has provided a set of Indicators of Compromise (IOCs) that can be used to identify potential infections. It has also provided details of the command and control domain “ovidiystealer[.]ru”. Naming the domain after the malware shows that the authors do not expect any takedown action from Russia-based ISPs.
What is it targeting and stealing?
Ovidiy Stealer is targeting six browsers and an FTP application. The list of targets provided by Proofpoint includes:
- Google Chrome
- Kometa browser
- Amigo browser
- Torch browser
- Orbitum browser
- Opera browser
The user decides which of these they want to target. The larger the list the bigger the final executable. Once the malware is installed it looks for any usernames and passwords associated with these applications. Proofpoint indicates that there could be other applications but has not named them.
How does it spread?
As with a lot of malware it is spread by poor user practices. It uses executable attachments in email as well as fake versions of software. The latter is often cracked versions of software that is made available free on download sites. When the user installs the software, Ovidiy Stealer is installed along with it. One application that Proofpoint highlights is LiteBitcoin. It also lists a number of games, hacking tools, social network apps and other software.
Much of the end-user technology inside businesses is now owned by employees not the business. This means that their non-work activities can have a significant impact on the business. Many IT departments are struggling to create a safe environment in which users can being their technology into work. Until they find a workable solution, they will be at risk from end-user devices.
What does this mean?
Cheap credential stealing malware being constantly updated is a serious threat. There is no evidence that this is anything more than criminal activity. However, there will be concern that the malware owners are brazen enough to use the malware name for the C&C domain name. This suggests that they do not fear any interference with their plans. They are also taking money using a Russian payment service that is the equivalent of PayPal. Operating so openly shows how difficult it is to get coordinated global activity against malware authors.
A bigger risk is the inability of SOC analysts to correctly identify an Ovidiy Stealer infection. Part of the problem is that the few software tools that do spot the malware are not providing enough data for accurate identification. This is something that will concern security teams as they become increasingly reliant on their software partners.