Ovidiy Stealer

Ovidiy Stealer is a credential-stealing trojan, identified by Proofpoint researchers in June 2017, written in .NET and mainly targeting Russian-speaking users. Since June, the number of samples has risen dramatically and researchers have observed versions 1.0.1 through 1.0.5. It is constantly updated and available for purchase at ovidiystealer[.]ru for approximately $7-13 per build, which includes an executable for antidetection and analysis. It does not, however, have a persistence mechanism and will not run after a reboot. Ovidiy is believed to be distributed via executable attachments, compressed executable attachments, or links to an executable in emails, as well as via file hosting sites masquerading as other software; Proofpoint observed it bundled with a "LiteBitcoin" installer. Additionally, it was observed as the following filenames:

  • HideMiner.zip
  • VkHackTool.zip
  • update_teamspeak3.5.1.exe
  • WORLD OF TANKS 2017.txt.exe
  • dice_bot.exe
  • cheat v5.4.3 2017.exe
  • Vk.com BulliTl.exe

It is a modular trojan and can target multiple applications to retrieve credentials, primarily the following browsers:

  • Amigo browser
  • FileZilla
  • Google Chrome
  • Kometa browser
  • Opera browser
  • Orbitum browser
  • Torch browser