For just $7, it is possible to send out malware that avoids antivirus, researchers said.
Ovidiy Stealer is the malware and it costs from $7-$13 or 450-750 Rubles as it is sold and it comes with one build that is a precompiled executable, said researchers at Proofpoint.
The company said the file can “thwart analysis and detection,” and while the infection can end up detected by some antivirus solutions, it’s flagged with a generic description that says little about its purpose, the researchers said in a blog post.
Ovidiy Stealer spreads with the help of executable email attachments, compressed executable attachments, and links to keygen websites or hosting pages. In all cases, the included file is an executable infected with the malware.
The malware targets include Google Chrome, Opera browser, Filezilla, and Torch browser.
“We have observed versions 1.0.1 through 1.0.5 distributed in the wild. Ovidiy Stealer is written in .NET and most samples are packed with either .NET Reactor or Confuser,” Proofpoint researchers said. “Upon execution, the malware will remain in the directory in which it was installed, and where it will carry out tasks. Somewhat surprisingly, there is no persistence mechanism built into this malware, so on reboot it will cease to run, but the file will remain on the victim machine.”
Once it infects a machine, the malware uses SSL/TLS for communication with a command and control server, and looks for passwords in the applications mentioned above to transmit them to the hackers. It sends information such as processor ID, website with saved credentials, targeted applications, username and password, and registered Ovidiy Stealer username.
Several updated samples of the password stealer have already been spotted online, so updating security software and always checking twice before downloading files coming from untrusted sources are the two best ways to remain protected.