HomeWinBuzzer NewsOv3r_Stealer Malware Emerges, Targeting Facebook Users with Fake Job Ads

Ov3r_Stealer Malware Emerges, Targeting Facebook Users with Fake Job Ads

Facebook job scam spreads "Ov3r_Stealer" malware stealing crypto & logins. Job offer lures victims to fake doc that launches complex attack


firm Trustwave has exposed a cybercriminal campaign using job advertisements to disseminate a novel malware, Ov3r_Stealer. The malware is engineered to harvest account credentials and cryptocurrency from unsuspecting users. The Trustwave research team's analysis reveals a complex infection procedure initiated by inviting Facebook users to apply for a bogus position. Targeted users are subsequently redirected to a compromised document which activates a PowerShell script that pulls the malware from a repository.

Infection Mechanism

The scheme entices targets with a job opportunity for an Account Manager. Applicants are directed to a PDF on OneDrive, falsely represented as job details. Instead, when clicked, a redirect to Discord's Content Delivery Network initiates, which downloads a deceptive ‘pdf2.cpl' file. This file masquerades as a standard document but is actually a PowerShell payload that Windows Control Panel files for execution. Trustwave's findings reveal a multi-faceted malware loading approach incorporating a Windows executable, a DLL for DLL sideloading, and a Document containing the malicious payload.

Data Exfiltration Techniques

Upon successful execution, Ov3r_Stealer sets up a recurring scheduled task that operates at 90-minute intervals, ensuring its persistence on the infected system. The malware targets a wide array of applications and directories—ranging from and extensions to cryptocurrency wallets and FTP clients like Filezilla—to extract valuable data. Crucial data are transmitted to a bot, including geographic location details and summaries of the compromised information.

Investigations have traced the malware's exfiltration activities back to usernames prominent in software cracking forums, hinting at the actors' possible origins. Moreover, code parallels have been observed between Ov3r_Stealer and another known C# stealer, Phemedrone, suggesting a derivative relationship between the two strains. Trustwave has also unearthed demonstration videos that indicate the threat actors' possible attempts to entice buyers or collaborators for their malicious tools.

Despite its origins being shrouded in ambiguity, given that the associated accounts demonstrate a mix of Vietnamese, Russian, and French signals, what remains clear is the threat posed by Ov3r_Stealer. It exemplifies the increasing sophistication and resourcefulness of cybercriminals leveraging platforms to deploy their nefarious payloads. Trustwave's exposure of this threat serves as a crucial reminder of the constant vigilance required in the digital landscape.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News