Facebook Ads Disguising Password-Stealing Malware

A newly discovered malware, Ov3r_Stealer, has emerged as a threat focused on pilfering cryptocurrency wallets and passwords, with the stolen data sent to a Telegram channel maintained by the threat actor. Unearthed in early December, the malware spread through a Facebook advertisement enticing users with an account manager position.

In this targeted cyber attack, users are led through weaponized links to a malicious Discord content delivery URL, initiating the execution phase of the assault. The malware in question, Ov3r_Stealer, is crafted to extract a wide array of sensitive data, including GeoLocation based on IP, hardware information, passwords, cookies, credit card details, auto-fill data, browser extensions, crypto wallets, Office documents, and antivirus product information.

The attack begins with a weaponized PDF file, disguised as a shared file on OneDrive. Notably, deceptive OneDrive links were found on fabricated social media profiles impersonating figures like Amazon CEO Andy Jassy or embedded within fake job advertisements on platforms like Facebook. Clicking the "Access Document" link downloads a file with a .url extension, initiating the subsequent phases of the attack.

The malware is then downloaded in three files from a GitHub site, employing a PowerShell script disguised as a Windows Control Panel binary. Various installation methods, including HTML smuggling, SVG smuggling, and LNK file masquerading, have been identified by researchers.

Once activated on the system, the malware establishes persistence through a Scheduled Task, ensuring it runs every ninety minutes. After gathering data, the stolen information is sent to a Telegram channel monitored by the threat actor. Potential outcomes include auctioning the data to the highest bidder or using the modularized malware as a dropper for additional malicious payloads, possibly even ransomware.

Researchers note significant similarities between Ov3r_Stealer and the Phemedrone stealer malware, indicating potential rebranding or repurposing. The primary distinction lies in the programming language, with Phemedrone written in C#.

To mitigate the risks associated with this threat, security measures such as engaging in awareness programs, conducting regular audits of applications and services, keeping application patches up-to-date, and implementing continuous threat hunting are recommended. Vigilance and proactive measures are essential in navigating the ever-evolving landscape of cyber threats.