Ov3r_Stealer: Targeting Cryptocurrency and Credentials via Facebook Job Ads

“A recent report by Trustwave SpiderLabs reveals the emergence of Ov3r_Stealer, a Windows malware propagated through deceptive Facebook job advertisements. This malware is engineered to pilfer sensitive data and cryptocurrency wallets from its victims. Let’s explore the workings of these fraudulent ads and the Ov3r_Stealer malware.”

OV3R_STEALER ABUSES FACEBOOK JOB ADS

“Fraudsters employ sophisticated job advertisements posted on Facebook, appearing authentic at first sight and targeting a diverse pool of job seekers with promises of lucrative prospects. According to Trustwave experts, attackers utilize a PDF file disguised as a genuine document hosted on OneDrive. Potential victims are enticed to click an ‘Access Document’ button within the PDF, setting off a series of malicious activities.”

“The Ov3r_Stealer infection chain represents a sophisticated cyber system engineered to compromise systems and pilfer sensitive data. While it operates as a classic infostealer, its unique propagation methods draw attention. It initiates with deceptive tactics to establish persistence for data collection and crypto theft. The infection chain unfolds as follows:”

1.Initial Access:

To lure the victim into accessing the fraudulent PDF, scammers create a fake Facebook account impersonating Amazon CEO Andy Jassy. This account includes a link to OneDrive. Upon clicking “Access Document” on the Facebook page, a .url file is downloaded, initiating the next step.

2. Payload Downloading:

Upon clicking the “Access Document” button, the victim is redirected to download a .url file. This file is disguised as a legitimate ‘DocuSign’ document. The .url file leads to an IP address hosting a data2.zip archive containing a pdf2.cpl file. As Windows Panel (.cpl) files are permitted by Windows, this operation proceeds without interruption. Additionally, the final payload of this malware is tailored for Windows-based systems.

3.Additional Loaders:

In this stage, the malware may employ additional loaders or components to enhance its execution and propagation capabilities. These loaders assist in the installation and execution of the final payload, enabling the malware to operate seamlessly within the compromised environment.

4.Final Payload:

The final payload consists of three files: WerFaultSecure.exe, Wer.dll, and Secure.pdf. Each loader stage facilitates the incorporation of these files. Upon execution, the malware establishes persistence to ensure continuous operation and begins exfiltrating specific data to a monitored Telegram channel.

5.Gaining Persistence:

To maintain its presence and functionality within the compromised system, the malware implements various persistence mechanisms. These methods may include altering system configurations, creating registry entries, or scheduling tasks to ensure the malware’s persistence across system reboots and security scans.

6.System Surveillance & Data Collection:

After establishing itself within the compromised system, the malware initiates surveillance activities to collect sensitive information. This phase involves scanning the infected device for credentials, cryptocurrency wallets, and other valuable data. Additionally, the malware identifies potential targets for further exploitation.

7. Data Exfiltration

The final stage of the malware operation involves exfiltrating stolen data from the compromised system to external servers or channels controlled by the attackers. This may include transmitting sensitive information such as credentials, financial data, or proprietary information to remote locations, enabling the attackers to harvest and exploit it for nefarious purposes.

HOW TO PROTECT AGAINST MALWARE IN ADS?

To protect against malware in ads, consider the following measures:

1. Use ad blockers: Install reputable ad-blocking extensions or software on your web browsers to prevent malicious ads from being displayed.
2. Keep software updated: Ensure that your operating system, web browsers, and security software are regularly updated with the latest security patches to mitigate vulnerabilities that could be exploited by malware delivered through ads.
3. Exercise caution: Be wary of clicking on ads from unfamiliar or suspicious websites, especially those promising unrealistic offers or prizes. Avoid interacting with ads that seem too good to be true.
4. Verify sources: Only download software or files from reputable sources. Avoid clicking on ads that prompt you to download software or plugins from unknown sources.
5. Enable click-to-play for plugins: Configure your web browser to require manual activation (click-to-play) for plugins like Flash, Java, and Silverlight. This can prevent malicious ads from automatically executing code on your system.
6. Educate yourself: Stay informed about common tactics used by cybercriminals to distribute malware through ads. Regularly educate yourself and your users about the latest threats and best practices for staying safe online.
7. Use security software: Install and regularly update reputable antivirus and antimalware software on your devices. These tools can help detect and remove malware delivered through ads.
8. Enable DNS filtering: Use DNS filtering services or software to block access to known malicious websites and domains, including those hosting malicious ads.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!