Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Last month I wrote about the $27,000 monthly subscription plan for “dumps” of exploits and hacking tools being offered by the infamous Shadow Brokers. (Due to fluctuations in cryptocurrency values, that price is now about $20,000 at the time of this writing.) Given the role of the EternalBlue exploit—which was exposed by the Shadow Brokers in April—in the recent massive WannaCry and NotPetya ransomware attacks, the tools included in the expensive “dumps” are expected to be powerful, with the potential to cause a lot of damage.

But not every hacker will be willing or able to shell out $20,000+ for equipment to potentially launch the next cyber pandemic. More frugal hackers can, however, go shopping for cheaper hacking tools in the growing malware-as-a-service market. And for as little as $7—less than the cost of movie ticket—hackers or aspiring hackers from any walk of life can get their hands on a piece of customizable, easy-to-use, password-stealing malware recently uncovered by threat researchers at cybersecurity company Proofpoint.

“Entry-Level Malware”

“In malware, just as in regular legitimate products, there are actually different price points, and different levels,” said Patrick Wheeler, the director of threat intelligence at Proofpoint, in an interview with Forensic Magazine. “So you have premium versions—what we would consider enterprise quality malware—that (are) often very expensive, regularly updated, very difficult to obtain. And then Ovidiy falls into a category of what we call entry-level malware.”

Ovidiy Stealer is an info-stealing tool that takes passwords and credentials from browsers and applications such as Google Chrome and hands them over to the malware user on an organized interface where they can keep track of the machines they’ve infected. The malware is easily spread by emailing it and tricking unsuspecting recipients into downloading a file containing the malware—it has also been spread through file-sharing sites and through “drive-by downloads” by directing victims to websites that automatically install it. But most interestingly, this simplistic but potentially dangerous hacking tool has been made available in Russian-speaking regions for the dirt cheap price of 450-750 rubles (about $7.63-$12.72).

A screenshot from Ovidiy Stealer's admin console showing logs from infected machines. (Image: Courtesy of Proofpoint)

“It would be very easy for a new cybercriminal to purchase this software,” Wheeler explained. “They like to try to make it as easy as possible for a new user to get started. When it was up and running, the control panel for this malware included helpful instruction, as well as information and guidelines about what was being collected.”

Easily Bought—and Easily Caught

Proofpoint’s report on Ovidiy Stealer describes it as “lightweight and simple enough to work with relative ease, allowing for simple and efficient credential exfiltration.” And not only do the low price and simplistic nature make it easy for even the most inexperienced of hackers to buy and use it—the purchasing process itself offers minimal hassle.

“Not only are they relatively attractive with price, but then also in this case they offer payment through RoboKassa, which is kind of a Russian equivalent to Paypal,” Wheeler explained. “So it’s very easy to get started. You don’t even have to set up bitcoin for it.” 

The payment screen for Ovidiy Stealer, showing payment options through RoboKassa, a Russian PayPal equivalent. (Image: Courtesy of Proofpoint)

While this makes the malware especially accessible for anyone interested in using it, it also opens up those who are selling it to easier detection by authorities. While much of the cybercrime marketplace is present on the nearly untraceable “dark web,” Ovidiy was not only marketed on the “clear web’’ for everyone to see, but also using the same domain that housed its command and control communications, which is incredibly unusual, Wheeler notes.

“That’s not a particularly common practice (…) many threat actors try and hide their tracks a little better,” he said. He added that shortly after Proofpoint published its report, the malware’s .ru domain remained online, but was wiped of its marketing content.

“I guess they got a little bit shy,” he said.

A Small Fish in a Big Pond

Ovidiy Stealer is just one example of a growing economy of profit-driven hackers who have turned cybercrime into an operational business, Wheeler said.

“Many people still (…) think of hackers as being what we can call ‘script kiddies,’ individuals who are hacking more for fun than for profit, defacing websites, stealing information,” he explained. “The modern reality for at least the last decade—and most likely longer—is that cybercrime is a business and it’s a very operationalized business where every different piece of the infrastructure from email sending infrastructure, to the malware, to the testing for the malware, encryption, distribution, everything—they’re all available as services.

“Modern threat actors are in many cases businessmen—they’re cybercriminals but they’re also businessmen and they’re operating with a focus on profit,” Wheeler concluded.

The conclusion to Proofpoint’s report states that, due to Ovidiy Stealer’s easy-to-use nature and the fact that it is being regularly updated by its creators, it has “the potential to become a much more widespread threat.” The report also points out the risk that stolen credentials can pose to individuals and businesses, whose accounts can be compromised leading to more stolen information. Wheeler notes the power of the social engineering techniques that many information-stealing campaigns leverage and warns against relying on end users to evade the threat.

“Our recommendation is always to really focus on solutions protecting the end users and really stopping the different threats before they can reach end users, because our research continually shows that somebody will always click,” he said. “Having solutions that can actually detect the latest, most innovative threats and stop them before they get to your end users is really essential.”