A recently discovered malware dubbed Ov3r_Stealer is making its way through counterfeit job listings on Facebook, with the objective of pilfering account credentials and cryptocurrency.
These fraudulent job postings, supposedly for managerial roles, direct individuals to a Discord link. Once clicked, a PowerShell script initiates the download of the malware payload from a GitHub repository. Analysts observe that while none of its strategies are ground breaking, it poses a significant threat to numerous potential victims due to Facebook's widespread usage as a social media platform.
The Infection Chain
The Ov3r_Stealer infection process initiates with a lure through a Facebook job advertisement enticing individuals to apply for an Account Manager role within digital advertising. The advertisement directs users to a PDF file stored on OneDrive, ostensibly providing job information. However, clicking the link initiates a redirect through Discord CDN, leading to the download of a file labelled 'pdf2.cpl.'Disguised as a DocuSign document, this file is actually a PowerShell payload, exploiting the Windows Control Panel file for execution.
At this phase, four separate methods of loading malware were identified, including:
• The execution of remote PowerShell scripts through malicious Control Panel (CPL) files.
• HTML files weaponized with base64-encoded ZIP files carrying malicious content (HTML smuggling).
• LNK files disguised as text files, functioning as download shortcuts.
• SVG files embedding .RAR files (SVG smuggling).
The final payload consists of three files: a legitimate Windows executable (WerFaultSecure.exe), a DLL employed for DLL sideloading (Wer.dll), and a document housing the malicious code (Secure.pdf).
Upon execution, the malware establishes persistence by adding a scheduled task named "Licensing2," ensuring its recurrence every 90 minutes on infected machines. Data Theft and ExfiltrationOv3r_Stealer endeavours to pilfer data from a diverse array of applications, encompassing cryptocurrency wallet apps, web browsers, browser extensions, Discord, Filezilla, among others. Additionally, the malware scrutinises the system services configuration stored in the Windows Registry, potentially identifying targets, and can scour local directories for document files.
Here's the comprehensive rundown of applications and directories scrutinized by Ov3r_Stealer for valuable data it can extract.
Every 90 minutes, the malware gathers available information from the compromised computer and forwards it to a Telegram bot. This includes the victim's geolocation data and a synopsis of the pilfered information.Ov3r_Stealer Origins Trustwave has identified connections between the exfiltration Telegram channel and specific usernames found in forums associated with software cracking and related communities.
Researchers have observed similarities in code between Ov3r_Stealer and Phemedrone, a C# stealer, suggesting that Phemedrone might have served as the foundation for this new malware. Trustwave has also discovered demonstration videos showcasing the operation of the malware, indicating potential efforts by threat actors to attract buyers or collaborators. These videos were shared by accounts communicating in Vietnamese and Russian, while also displaying the French flag, making it difficult to determine the nationality of the threat actor.
How can cyber security companies help?
The emergence of Ov3r_Stealer underscores the evolving landscape of cyber threats and the need for constant vigilance. While the origins and motives of threat actors remain somewhat obscure, the collaborative efforts of cyber security firms play a crucial role in identifying, analysing, and mitigating such risks.
By leveraging expertise in threat intelligence, malware analysis, and incident response, cyber security companies can provide invaluable assistance to individuals and organisations facing potential breaches. Through proactive monitoring, timely alerts, and tailored security solutions, these firms empower their clients to bolster their defences and safeguard against emerging threats like Ov3r_Stealer.
