Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials

thehackernews.com · Newsroom · 2 years ago · news
quality 7/10 · good
0 net
Tags
cryptojacking stealing credential
Entities
CVE-2023-36025
Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials  Contact/Tip Us  Reach out to get featured—contact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback! Follow Us On Social Media       RSS Feeds  Email Alerts Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials  Ravie Lakshmanan  Feb 06, 2024 Social Engineering / Malvertising Threat actors are leveraging bogus Facebook job advertisements as a lure to trick prospective targets into installing a new Windows-based stealer malware codenamed Ov3r_Stealer . "This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors," Trustwave SpiderLabs said in a report shared with The Hacker News. Ov3r_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host. While the exact end goal of the campaign is unknown, it's likely that the stolen information is offered for sale to other threat actors. Another possibility is that Ov3r_Stealer could be updated over time to act as a QakBot-like loader for additional payloads, including ransomware. The starting point of the attack is a weaponized PDF file that purports to be a file hosted on OneDrive, urging users to click on an "Access Document" button embedded into it. Trustwave said it identified the PDF file being shared on a fake Facebook account impersonating Amazon CEO Andy Jassy as well as via Facebook ads for digital advertising jobs. Users who end up clicking on the button are served an internet shortcut (.URL) file that masquerades as a DocuSign document hosted on Discord's content delivery network (CDN). The shortcut file then acts as a conduit to deliver a control panel item (.CPL) file, which is then executed using the Windows Control Panel process binary (" control.exe "). The execution of the CPL file leads to the retrieval of a PowerShell loader ("DATA1.txt") from a GitHub repository to ultimately launch Ov3r_Stealer. It's worth noting at this stage that a near-identical infection chain was recently disclosed by Trend Micro as having put to use by threat actors to drop another stealer called Phemedrone Stealer by exploiting the Microsoft Windows Defender SmartScreen bypass flaw ( CVE-2023-36025 , CVSS score: 8.8). The similarities extend to the GitHub repository used (nateeintanan2527) and the fact that Ov3r_Stealer shares code-level overlaps with Phemedrone. "This malware has recently been reported, and it may be that Phemedrone was re-purposed and renamed to Ov3r_Stealer," Trustwave said. "The main difference between the two is that Phemedrone is written in C#." Further solidifying the connections between the two stealer malware, the threat actor has been observed sharing news reports published about the Phemedrone Stealer on their Telegram channels in an effort to build "street cred" for their malware-as-a-service (MaaS) business. "My custom stealer is on the new[s], showing how evasive it is, im [sic] the developer of it, so happy now," the threat actor, who goes by the online alias Liu Kong said, while also expressing frustration at the fact that threat hunters managed to "reverse the whole exploit chain" despite everything being "on memory." The findings come as Hudson Rock revealed that threat actors are advertising their access to law enforcement request portals of major organizations like Binance , Google, Meta, and TikTok by exploiting credentials obtained from infostealer infections. They also follow the emergence of a category of infections called CrackedCantil that leverage cracked software as an initial access vector to drop loaders like PrivateLoader and SmokeLoader, when subsequently act as a delivery mechanism for information stealers, crypto miners, proxy botnets, and ransomware. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  Crypto Wallet , Facebook , github repository , malvertising , ransomware , social engineering , Telegram Get Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free. Email Cybersecurity Webinars Findings + Fixes from 600+ Leaders How to Measure, Prioritize, and Close Identity Gaps in 2026 New 2026 Ponemon research reveals where mature identity programs still fall short and what leading organizations are doing to close the gap. Register RIdentity Framework for AI Agents How to Deploy an Identity Layer for AI Agents in Production AI agents need identity, but most teams are still figuring out how to implement it. This session cuts through the noise with a practical, production-ready framework. Register Latest News Cybersecurity Resources Zscaler ThreatLabz 2026 VPN Risk Report with Cybersecurity Insiders. AI collapsed human response window and turned remote access into fastest path to breach. Your VPN is Helping Attackers Move as Fast as AI AI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk Management Lead the future of cybersecurity risk management with an online Master’s from Georgetown. ​ Expert Insights Articles Videos Why AI Does Not Need to be Innovative to be Dangerous  April 06, 2026 Read ➝ AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach  April 06, 2026 Read ➝ Which Code Vulnerabilities Actually Get Fixed? New Code Security Data from 50,000+ Repos  March 30, 2026 Read ➝ The Real Problem Isn't That AI Can't Write Secure Code - It's That It's Expanding Attack Surface  March 30, 2026 Read ➝
← Back to stories