Cybercrime is something which has continued to evolve and exists in a highly organized form. It has been commercialized and is becoming a big business. The market ranges from hacking tools to exploit kits and from ransomware to helping someone in launching attacks.
In the recent past, we have witnessed an increase in malware-as-a-service (MaaS), and it is now an attractive business in the black market (dark web). In addition to MaaS, some other services such as ransomware-as-a-service, DDoS-as-a-service, phishing-as-a-service, and much more.
Two separate group of researchers spotted two such services recently.
Ovidiy Stealer — $7 Password-Stealing Malware For Everyone
Ovidiy Stealer, a malware which is being marketed on Russian-speaking forums. It targets web browsers primarily, and anyone with even a little technical knowledge can hack many computers for as cheap as $7.
It appeared just a month ago, and it receives regular updated from its Russian authors. Many cyber criminals have got their hands on it. Ovidiy Stealer has several versions which are available in the market and are targeting victims around the world including the United Kingdom, the Netherlands, India, and Russia. The researchers from Proofpoint reported it while analyzing it.
Despite the low cost, the executables are encrypted which makes it hard for the researchers to analyze it or detect it. According to the researchers, some antivirus products are detecting it based on the behavior.
The malware is written in .NET and can target multiple applications such as Google Chrome, Opera, FileZilla, Amigo, Kometa, Torch, and Orbitum, but the buyers can get their hands on a version targeting only a single application.
It can be spread using various methods such as malicious email attachments, malicious download links, fake software or tools, and even within a software package. Ovidiy itself isn’t powerful or advanced, but it has the potential to become widespread.
It uses an SSL/TSL connection for secure communication with the command and control server which is hosted on the same domain used to market and sell this product.
“A lightweight, easy-to-use, and effective product coupled with frequent updates and a stable support system give Ovidiy Stealer the potential to become a much more widespread threat,” the report concluded.
“Ovidiy Stealer highlights the manner in the cybercrime marketplace drives innovation and new entrants and challenges organisations that must keep pace with the latest threats to their users, their data, and their systems.”
Hackshit — Easier Phishing Than Ever Before!
Netskope Threat Research Labs uncovered this phishing-as-a-service platform “automated solution for the beginner scammers.”
Hackshit attracts the users with their free trial accounts, allowing them to review the hacking tutorials and tricks.
“The marketplace is a portal that offers services to purchase and sell for carrying out the phishing attacks,” Netskope researcher Ashwin Vamshi says.
“The attacker then generates a phished page from the page/generator link and logs into the email account of the compromised victim, views all the contacts and sends an email embedded with the phished link.”
Hackshit enables “wannabe hackers” to create their phishing pages for services such as Yahoo, Facebook, and Gmail.
These phishing pages use data URI scheme to serve base64 encoded content from “a secure HTTPS websites with “.moe” top level domain (TLD) to evade traditional scanners.”
“Based on one of the video tutorials we observed, the attacker purchases site login accounts of compromised victim from the marketplace using Perfect Money or bitcoins,” the researcher says.
Another thing to note here is that Hackshit uses Let’s Encrypt (an open source certificate authority for implementation of HTTPS by providing free SSL/TLS certificates).