Trustwave SpiderLabs’ recent report uncovered the usage of fake Facebook job ads to lure victims into installing a new Windows-based stealer malware called Ov3r_Stealer.
Ov3r_Stealer Malware Modus Operandi
Ov3r_Stealer is a multifaceted malware designed to steal sensitive information such as credentials, crypto wallets, and personal details from compromised systems. Once installed, the malware exfiltrates the stolen data to a Telegram channel, allowing threat actors to monitor and exploit the compromised information for nefarious purposes.
The modus operandi of this malicious campaign begins with a weaponized PDF file masquerading as a legitimate document hosted on OneDrive. Users are prompted to click on an embedded “Access Document” button within the PDF, leading them down a treacherous path of deception. Subsequently, victims are directed to download an internet shortcut file disguised as a DocuSign document from Discord’s content delivery network (CDN). This shortcut file acts as a conduit to deliver a control panel item file, which, when executed, triggers the installation of Ov3r_Stealer via a PowerShell loader retrieved from a GitHub repository.
What sets this campaign apart is its utilization of fake Facebook accounts impersonating prominent figures like Amazon CEO Andy Jassy, as well as deceptive Facebook ads for digital advertising jobs, to disseminate the malicious PDF file. This tactic not only increases the reach of the attack but also enhances its believability, making it more likely for unsuspecting users to fall victim to the scheme.
Ov3r_Stealer Shares Similarities with Phemedrone Stealer
Furthermore, the similarities between Ov3r_Stealer and another recently disclosed stealer called Phemedrone Stealer raise concerns of a potential resurgence of previously known threats. Both malware variants share code-level overlaps and exploit similar infection chains, suggesting a possible re-purposing of Phemedrone into Ov3r_Stealer. This underscores the adaptability and resourcefulness of threat actors in repackaging existing malware to evade detection and prolong their malicious activities.
It is also noteworthy that threat actors have been observed leveraging news reports about Phemedrone Stealer to bolster the credibility of their malware-as-a-service (MaaS) business on Telegram channels. This demonstrates a concerted effort by threat actors to promote and monetize their illicit activities, further exacerbating the cybersecurity landscape.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: