- Feb 4, 2016
- 2,520
A Russia-speaking malware developer going by the name of "TheBottle" has started selling a new infostealer with the name of Ovidiy Stealer.
This new malware strain is offered for sale on a Russian website for 450-750 Rubles ($7-$13). The low price is because the malware isn't as powerful as other commercial infostealers available on the market.
TheBottle started selling his new tool about a month ago and has also advertised it on various cybercrime forums.
Ovidiy Stealer spread via malicious EXE files
The malware would have gone undiscovered if its buyers wouldn't have used it to infect various users. Proofpoint researchers spotted the malware during the past weeks distributed as booby-trapped executable masking as various legitimate applications. Below is a list of filenames that were used to distribute Ovidiy Stealer during the past month:
litebitcoin-qt.zip
HideMiner.zip
VkHackTool.zip
update_teamspeak3.5.1.exe
WORLD OF TANKS 2017.txt.exe
dice_bot.exe
cheat v5.4.3 2017.exe
Vk.com BulliTl.exe
These files were spread via file hosting portals, cracking & keygen sites, but also via email campaigns that delivered the file as an attachment, or included a link where users could download the file.
Files infected with this infostealer have a low detection ratio on VirusTotal and are usually marked with generic names, a problem in Proofpoint's opinion.
"It is possible that an AV solution will detect the behavior of Ovidiy Stealer but label it in logs with a generic description and thus [Security Operations Center] analysts monitoring alerts may well see the event but not recognize its significance," researchers said in a technical report.
Ovidiy Stealer has limited features, but it's more than enough
Infected hosts should be aware that Ovidiy Stealer can collect and steal information from applications such as:
FileZilla
Google Chrome
Kometa browser
Amigo browser
Torch browser
Orbitum browser
Opera browser