Cyber Sentinel Chronicles: Unraveling the Ov3r_Stealer Menace

A recently emerged malware, named Ov3r_Stealer, is propagating via deceptive job postings on Facebook, with the intent to pilfer login credentials and cryptocurrency holdings.

The fraudulent job advertisements typically pose as managerial roles and redirect unsuspecting users to a Discord URL. There, a PowerShell script initiates the download of the malware payload from a GitHub repository.

Despite employing familiar tactics, security analysts at Trustwave caution that Ov3r_Stealer poses a significant risk to potential victims, given the widespread usage of Facebook.

The scheme entices victims through fake job listings on Facebook, enticing them to apply for positions such as Account Manager in digital advertising.

Upon clicking the ad, users are led to a PDF file hosted on OneDrive, purportedly containing job details. However, clicking triggers a Discord CDN redirect, downloading a file labeled ‘pdf2.cpl.’

Disguised as a DocuSign document, the file is, in reality, a PowerShell payload leveraging the Windows Control Panel for execution.

Trustwave has identified four primary methods of loading the malware:

1. Malicious Control Panel (CPL) files executing remote PowerShell scripts.
2. Weaponized HTML files (HTML smuggling) containing base64-encoded ZIP files with malicious content.
3. LNK files disguised as text files, acting as download shortcuts.
4. SVG files containing embedded .RAR files (SVG smuggling).

The final payload consists of three files: a legitimate Windows executable (WerFaultSecure.exe), a DLL for DLL sideloading (Wer.dll), and a document containing malicious code (Secure.pdf).

Upon execution, the malware establishes persistence by adding a scheduled task named “Licensing2,” set to run every 90 minutes on infected systems.

Ov3r_Stealer targets a wide array of applications, including cryptocurrency wallets, web browsers, browser extensions, Discord, and Filezilla, among others.

Additionally, it inspects system services configuration in the Windows Registry, likely to identify potential targets, and scans local directories for document files.

The malware collects data from infected systems every 90 minutes and transmits it to a Telegram bot, including the victim’s geolocation and a summary of stolen data.

Trustwave has observed connections between the Telegram exfiltration channel and specific usernames found in forums related to software cracking and relevant communities.

Furthermore, researchers note similarities between Ov3r_Stealer and Phemedrone, a C# stealer, suggesting possible inspiration for the new malware.

Trustwave reports discovering demo videos showcasing the malware’s operation, indicating potential attempts by threat actors to attract buyers or collaborators.

These videos were posted by accounts displaying Vietnamese and Russian language proficiency, alongside the use of the French flag, making the nationality of the threat actor uncertain.

Happy Hunting!

— j1nx