False Facebook Job Ads Circulating Ov3r_Stealer to Steal Crypto and Credentials

Threat actors are using bogus Facebook job postings. It is a ploy to achieve the goal of installing a new Windows-based stealer virus. This virus is referred to as Ov3r_Stealer.

Trustwave SpiderLabs stated in a study provided by The Hacker News that "this malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors."

Ov3r_Stealer is able to draft

  • IP address-based location.
  • Hardware information
  • Passwords Cookies
  • Credit card details 
  • Auto-fills
  • Browser Extensions
  • Crypto wallets
  • Microsoft Office Documents
  • A list of antivirus programs installed on the infected host.

The specific final purpose of the campaign remains uncertain. It's similar to how stolen information is sold to other threat actors. Another option is that Ov3r_Stealer may be modified over time. This allows it to function as a QakBot-like loader for other payloads, such as ransomware.

The assault starts with a weaponized PDF file. It purports to be a file stored on OneDrive. Later, it prompts viewers to click on an "Access Document" button that is already embedded in it.

The company added, "It identified the PDF file being shared on a fake Facebook account impersonating Amazon CEO Andy Jassy and via Facebook ads for digital advertising jobs."

Users who click the button receive an internet shortcut (.URL) file. It poses as a DocuSign document placed on Discord's content delivery network (CDN). The shortcut file then functions as a conduit, delivering a control panel item (.CPL) file. As a result, it is performed via the Windows Control Panel process binary ("control.exe").

When the CPL file is executed, a PowerShell loader ("DATA1.txt") is retrieved from a GitHub repository, which is then used to activate Ov3r_Stealer.

Trend Micro recently revealed a nearly identical infection chain, which is cause for concern. The major goal is to utilize threat actors to drop another stealer, Phemedrone Stealer. The Microsoft Windows Defender SmartScreen bypass issue (CVE-2023-36025, CVSS score: 8.8) exploits this.

The similarity extends to the GitHub repository (nateeintanan2527). As a result, Ov3r_Stealer has code-level overlap with Phemedrone.

According to Trustwave, "This virus has just been identified, and it is possible that Phemedrone was repurposed and renamed Ov3r_Stealer. "The primary distinction between the two is that Phemedrone is written in C#."

Hudson Rock has appeared in the shape of the most favorable finds. Later, it was shown that threat actors advertise their access to law enforcement. Furthermore, it utilizes credentials gained from info stealer infections to request portals of large businesses, namely:

  • Binance
  • Google
  • Meta
  • TikTok 

Furthermore, they monitor the onset of a particular type of illness. They are well known as "CrackedCantil." It uses cracked software as an initial access vector. The major reason for doing so is to drop loaders like PrivateLoader and SmokeLoader. As a result, it functions as a delivery mechanism for

  • Information Stealers
  • Crypto Miners
  • Proxy Botnets
  • Ransomware


Latest Updates