As if the use of malware to mount cyber attacks was not enough, such software is being openly sold on e-commerce sites for what can only be described as throw away prices.
The detection “Ovidiy Stealer,” an infostealer offered on a Russian site, has raised eyebrows.
Some might be inclined to not take this case too seriously, but the facts unearthed and shared by Proofpoint researchers should worry many people—particularly system administrators.
The main reason for this is that the Ovidiy Stealer malware comes as an attachment, and its .exe format can deceive any firewall or AV program running on the system.
Analysts hasten to point out that it is not too powerful or effective, but still has the potential to attack hard.
Priced Cheap, But with Constant Upgrades
According to their report, Proofpoint’s research team feels this infostealer malware could have escaped detection, but it appears some people re-surfaced it to bring it to today’s purpose: to steal files and data from computers.
This alerted those who keep tabs on such attacks, and that is how the whole investigation began to carry out.
It is a Russian site that is offering the Ovidiy Stealer malware, at a price as low as 450 to 750 Russian Rubles, which is just $7 to $13. Currently though, the sites selling it appear to be targeting buyers in and around Russia.
The audacity of the seller, going by the name “TheBottle” is such that the malware is even being advertised on some darknet sites.
What is Ovidiy Stealer Malware Capable of?
As mentioned, the immediate threat from Ovidiy Stealer is that it has been created and released in such a format that it can escape detection at the level of firewalls.
Some anti-virus programs may be able to detect and isolate them, but may not be able to identify and inform the user to delete the malware.
It is being sent in as executable mail attachments, hidden inside some program such as the “Litebitcoin” installer.
The investigative team from Proofpoint could even list out the names of the files which contain this infostealer.
They have also mentioned the browsers vulnerable to an attack mounted through the use of this malware, including popular platforms like Google Chrome and Opera, apart from others like FileZilla, Amigo and Kometa.
The Ovidiy Stealer malware is being sold on the sites in the form of modules, giving the choice to the buyer to pick and choose.
The command center is a website having the same name, ovidiystealer.ru, and the attacker is able to see a dashboard view of the stolen files and information in order to make changes from their remote location.
The Weaknesses in the Program
Analysts have found that the threat posed by this inexpensive off-the-shelf malware has some frailties in it. In the assessment of these experts, its threat potential is not very high and its seller may kill it at any time.
Even if a buyer tries to send up the malware and does not earn any ransom from it, there is very little the Ovidiy Stealer site owner loses.
But from the perspective of the cybersecurity experts, it is obvious that the agencies entrusted with controlling cybercrimes in Russia should be able to trace this entity very easily.
Apart from the way the website is liable to be brought down, the buyers are asked to route their payments through the Russian online payment gateway RoboKassa, which works the same way as PayPal.
It should not pose any challenge to the Russian authorities to reach and take action upon the person or persons behind this illegal activity of selling malware online.
What Can the Users Do?
Users of computer systems involved in maintaining networks are suggested to follow a process to ensure the malware doesn’t infect their systems.
One is to beef up the authentication process to at least two-levels instead of a single factor process.
Secondly, they can download and use password management programs, which are useful in setting tough passwords that most malware will find difficult to crack.