Cybersecurity firm Trustwave has exposed a cybercriminal campaign using Facebook job advertisements to disseminate a novel malware, Ov3r_Stealer. The malware is engineered to harvest account credentials and cryptocurrency from unsuspecting users. The Trustwave research team's analysis reveals a complex infection procedure initiated by inviting Facebook users to apply for a bogus position. Targeted users are subsequently redirected to a compromised document which activates a PowerShell script that pulls the malware from a GitHub repository.
Infection Mechanism
The scheme entices targets with a job opportunity for an Account Manager. Applicants are directed to a PDF on OneDrive, falsely represented as job details. Instead, when clicked, a redirect to Discord's Content Delivery Network initiates, which downloads a deceptive ‘pdf2.cpl' file. This file masquerades as a standard document but is actually a PowerShell payload that exploits Windows Control Panel files for execution. Trustwave's findings reveal a multi-faceted malware loading approach incorporating a Windows executable, a DLL for DLL sideloading, and a Document containing the malicious payload.
Data Exfiltration Techniques
Upon successful execution, Ov3r_Stealer sets up a recurring scheduled task that operates at 90-minute intervals, ensuring its persistence on the infected system. The malware targets a wide array of applications and directories—ranging from web browsers and extensions to cryptocurrency wallets and FTP clients like Filezilla—to extract valuable data. Crucial data are transmitted to a Telegram bot, including geographic location details and summaries of the compromised information.
Investigations have traced the malware's exfiltration activities back to usernames prominent in software cracking forums, hinting at the actors' possible origins. Moreover, code parallels have been observed between Ov3r_Stealer and another known C# stealer, Phemedrone, suggesting a derivative relationship between the two strains. Trustwave has also unearthed demonstration videos that indicate the threat actors' possible attempts to entice buyers or collaborators for their malicious tools.
Despite its origins being shrouded in ambiguity, given that the associated accounts demonstrate a mix of Vietnamese, Russian, and French signals, what remains clear is the threat posed by Ov3r_Stealer. It exemplifies the increasing sophistication and resourcefulness of cybercriminals leveraging social media platforms to deploy their nefarious payloads. Trustwave's exposure of this threat serves as a crucial reminder of the constant vigilance required in the digital landscape.
