Deceptive Facebook Job Ads Distributing Malware to Steal Credentials

A concerning trend has emerged in the cyber threat landscape, with threat actors exploiting fake job postings on Facebook as a guise to propagate a new Windows-based stealer malware known as Ov3r_Stealer. Trustwave SpiderLabs has sounded the alarm, revealing that this malicious software is engineered to pilfer sensitive information, including credentials and cryptocurrency wallets, funneling the stolen data to a Telegram channel monitored by the threat actor.

Ov3r_Stealer boasts a formidable array of capabilities, capable of extracting a wide range of data from compromised systems, including IP address-based location, hardware information, passwords, cookies, credit card details, browser extensions, and even Microsoft Office documents. Moreover, it targets cryptocurrency wallets, indicating a concerted effort to capitalize on the lucrative crypto market.

While the ultimate objective of the campaign remains undisclosed, analysts speculate that the stolen information may be offered for sale on underground forums or used to facilitate additional malicious activities. There are concerns that Ov3r_Stealer could evolve into a loader for ransomware or other nefarious payloads, akin to QakBot’s modus operandi.

The attack chain begins with a weaponized PDF file, purportedly hosted on OneDrive, enticing users to click on an embedded “Access Document” button. This PDF has been observed circulating on a fraudulent Facebook account impersonating Amazon CEO and through Facebook ads for digital advertising jobs.

Upon clicking the button, victims are directed to an internet shortcut (.URL) file, masquerading as a DocuSign document hosted on Discord’s content delivery network (CDN). This shortcut file serves as a conduit for delivering a control panel item (.CPL) file, executed via the Windows Control Panel process binary (“control.exe”).

Execution of the CPL file triggers the retrieval of a PowerShell loader (“DATA1.txt”) from a GitHub repository, culminating in the launch of Ov3r_Stealer.

Notably, this infection chain bears striking similarities to a recent disclosure by Trend Micro, which detailed the deployment of another stealer, Phemedrone Stealer, leveraging a Microsoft Windows Defender SmartScreen bypass flaw (CVE-2023-36025). The shared GitHub repository and code-level overlaps suggest a potential re-purposing of Phemedrone as Ov3r_Stealer.

The threat actor behind Ov3r_Stealer has exhibited an attempt to bolster their reputation by sharing news reports about Phemedrone Stealer on their Telegram channels, indicating aspirations for their malware-as-a-service (MaaS) business.

These developments underscore the escalating sophistication of cyber threats, with threat actors resorting to multifaceted tactics to infiltrate systems and exfiltrate sensitive information. It’s imperative for organizations and individuals alike to remain vigilant and adopt robust cybersecurity measures to mitigate the risks posed by such insidious malware campaigns.

Exercise caution when interacting with online job postings, especially those from unfamiliar sources. Be wary of job offers that seem too good to be true or request sensitive information upfront. Use strong, unique passwords for online accounts and enable two-factor authentication where available. User also can regularly monitor your financial accounts for unauthorized transactions and report any suspicious activity to the appropriate authorities.