Meet Ovidiy Stealer: Bringing credential theft to the masses
Proofpoint threat researchers recently analyzed Ovidiy Stealer, a previously undocumented credential stealer which appears to be marketed primarily in the Russian-speaking regions. It is under constant development, with several updated versions appearing since the original samples were observed in June 2017. The growing number of samples demonstrate that criminals are actively adopting this malware. Ovidiy Stealer is priced at 450-750 Rubles (~$7-13 USD) for one build, a price that includes a precompiled executable that is also "crypted" to thwart analysis and detection.
It should be noted that some antivirus solutions are detecting Ovidiy Stealer with generic and heuristic signatures only. With only heuristic detection, it is possible that an AV solution will detect the behavior of Ovidiy Stealer but label it in logs with a generic description and thus SOC analysts monitoring alerts may well see the event but not recognize its significance. Instead, Ovidiy Stealer could be active an organization's network, throwing alerts but not identified specifically.
We believe that Ovidiy Stealer is currently being spread via email as executable attachments, compressed executable attachments, and links to an executable download. It is also likely spread via file hosting / cracking / keygen sites, where it poses as other software or tools. In several cases, we observed the Ovidiy Stealer bundled with a “LiteBitcoin” installer, further validating this claim.
Figure 1: This file, spread as “litebitcoin-qt.zip,” bundles Ovidiy Stealer and another RAT, Remote Manipulator System by TektonIT. While the software is installing both malware samples begin to reach out to the Command and Control (C&C) servers ovidiystealer[.]ru and rmansys[.]ru.
[Update 7/14/2017: The content of this site has been removed since this article was published. The site itself appears to still be online.]
Figure 2: This file, spread as “Chase SoftWare 1.2 Jora.exe” appears to be an account checker for various financial institutions (that is, a hacking tool), that was bundled with Ovidiy
Other observed filenames are listed below and include game lures, hack tool lures, social network lures and others:
●WORLD OF TANKS 2017.txt.exe
●cheat v5.4.3 2017.exe
At the time of writing, we have observed versions 1.0.1 through 1.0.5 distributed in the wild. Ovidiy Stealer is written in .NET and most samples are packed with with either .NET Reactor or Confuser. Upon execution the malware will remain in the directory in which it was installed, and where it will carry out tasks. Somewhat surprisingly, there is no persistence mechanism built into this malware, so on reboot it will cease to run, but the file will remain on the victim machine.
Ovidiy Stealer is modular and contains functionality to target a multiple applications -- primarily browsers -- listed below.
- Google Chrome
- Kometa browser
- Amigo browser
- Torch browser
- Orbitum browser
- Opera browser
Because a separate module carries out the targeting of each application, the fewer the modules selected, the smaller the malware payload size. Buyers can select as few as a single module, for example just “Google Chrome”.
Figure 3: Example code displaying the targeted directories for Chromium based browsers
Figure 4: Example displaying the code for locating and stealing stored FileZilla passwords
Ovidiy Stealer utilizes SSL/TLS for communication with its command and control server. It currently utilizes the domain ovidiystealer[.]ru for its command and control (C&C) communications; which is is also the domain used to market and sell the malware. The initial C&C beacon is a POST reporting the following details:
- id: DiskID and ProcessorID
- ver: Ovidiy Stealer version
- cn: Windows username
- os: Operating system and version (e.g. Windows 7)
- user: Registered Ovidiy Stealer username
Figure 5: Network traffic capture of initial checkin beacon generated by the stealer
The unique ID provided for each infected machine is a combination of the 8 character DiskID and 16 character ProcessorID, combined into one string. We observed a commonly hardcoded ProcessorID of “BFEBFBFF000206A7” being used if the function checking the ProcessorID resulted in an empty buffer, and at least one sample containing “Rofl” for that value. Ovidiy Stealer traffic also includes a hardcoded User-Agent “E9BC3BD76216AFA560BFB5ACAF5731A3”. This is the md5 hash of the phrase 'litehttp', which is also the default User-Agent of the open-source LiteHTTP Bot.. We believe that Ovidiy author reused the open-source code of the LiteHTTP Bot project.
Figure 6: Code reuse shown: Ovidiy Stealer on the left, LiteHTTP Bot on the right
If the stealer is able to find passwords from targeted applications, it will follow up its initial checkin with another request reporting the passwords of targeted applications:
- id: DiskID and ProcessorID
- site: Website with saved credentials
- program: Targeted application
- login: Saved application username
- pass: Saved application password
- user: Registered Ovidiy Stealer username
Figure 7: Network traffic capture of credentials exfiltration beacon generated by the stealer
Sales and Support
Ovidiy Stealer is offered for sale on ovidiystealer[.]ru, a domain which will help attract potential customers and, as noted above, also the C&C domain. The malware boasts support, features, and login access to the web panel. The admin panel for Ovidiy Stealer allows the botmaster to view statistics on infected machines, view logs, build more stubs, and manage the account.
Figure 8: Ovidiy Stealer website landing page. Note the “We accept Free-Kassa” button.
Figure 9: Ovidiy Stealer admin panel
From the admin console, the botmaster has the capabilities to view and filter logs from infected machines.
Figure 10: Viewing Ovidiy Stealer client logs
To simplify purchasing, the team behind Ovidiy Stealer uses a service known as 'RoboKassa' to collect payment for new stubs. RoboKassa is a Russian equivalent to PayPal, allowing users to conduct payment using credit cards and other types of payment to the sellers; in this case the seller is “Ovidiy” (Fig. 11).
Figure 11: Payment via RoboKassa offering several options
Like many other markets with many choices, the malware market is competitive and developers must market the strengths and benefits of their products in order to attract buyers. To help drive sales, the development team includes statistics on the progress of certain modules, and other plans for future releases of the malware. In addition, the site includes “testimonials" from satisfied customers, presumably to demonstrate to other would-be criminals that they can be profitable when using Ovidiy Stealer.
Figure 12: Reviews and development progress. The user ACE’s comments translate to English as: “I only need the stealer for burglary on order. I explain what it is: I accept an order for the hijacking of a certain person's account. After I work with him and install the stealer. That's all, for one order I get 300-500 rubles. Without this project it would be impossible! Thank you!”
The main author of this project goes by the handle "TheBottle," evident from the informational page of the Ovidiy Stealer website. Moreover, the name 'TheBottle' is observed in at least one sample's PDB string:
C:\Users\TheBottle\documents\visual studio 2017\Projects\Ovidiy\Ovidiy\obj\Debug\Ovidiy.pdb
Figure 13: Self proclaimed author of Ovidiy Stealer, ‘TheBottle’, translated to English
Ovidiy Stealer is a new password stealer that entered the criminal ranks barely one month ago. While it is not the most advanced stealer we have seen, marketing and an entry-level price scheme make it attractive and accessible to many would-be criminals. Ovidiy Stealer is lightweight and simple enough to work with relative ease, allowing for simple and efficient credential exfiltration. A lightweight, easy-to-use, and effective product coupled with frequent updates and a stable support system give Ovidiy Stealer the potential to become a much more widespread threat. Stolen credentials continue to be a major risk for individuals and organizations, because password re-use can enable one stolen login to compromise several more accounts, and the sale of stolen accounts continues to be a lucrative market for criminal looking for quick profits. Ovidiy Stealer highlights the manner in the cybercrime marketplace drives innovation and new entrants and challenges organizations that must keep pace with the latest threats to their users, their data, and their systems.
Indicators of Compromise (IOCs)
Ovidiy Stealer C&C
Litebitcoin-qt.zip Ovidiy Stealer
Chase SoftWare 1.2 Jora.exe Ovidiy Stealer
Uber.exe Ovidiy Stealer
ET and ETPRO Suricata/Snort Coverage
2827113 | Observed DNS Query to Ovidiy Stealer CnC Domain
2827114 | MSIL/Ovidiy Stealer CnC Checkin
2827115 | MSIL/Ovidiy Stealer Reporting Passwords
2820681 | ETPRO TROJAN W32/XPCSpyPro/RemoteManipulator RAT Checkin
2808335 | ETPRO POLICY Win32/RemoteAdmin.RemoteUtilities.C Checkin
2811005 | ETPRO POLICY RADMINRMS.WIN32.1 Checkin POST