A new malware called Ov3r_Stealer has recently been discovered by cybersecurity researchers. This malicious software is designed to steal cryptocurrency wallets and passwords, and then send the stolen data to a Telegram channel controlled by the threat actor. Identified early in December, the malware was distributed through a Facebook advertisement for an account manager position.
Individuals who clicked on the ad were led to a malicious Discord content delivery URL, which triggered the execution of the attack. Once installed on a victim’s device, the malware begins exfiltrating various types of sensitive data, including geolocation based on IP address, hardware information, passwords, cookies, credit card details, browser extensions, cryptocurrency wallets, Office documents, and even information about installed antivirus products.
According to SpiderLabs, security teams have been monitoring the activities of this malware and have identified several mechanisms used to spread it. A weaponized PDF file is used for initial access and transmission of the malware. In one instance, a fake Facebook profile claiming to be Amazon CEO Andy Jassy shared a clickable OneDrive link that appeared to lead to a shared file. Other instances included similar fake job advertisements, including one for a Digital Advertising position. Clicking on the “Access Document” link on the Facebook pages led to the download of a .url file that initiated the next phase of the attack.
The malware was distributed in three separate files from a GitHub site using a Powershell script that pretended to be a Windows Control Panel binary. Researchers also observed other methods used to install the malware, including HTML smuggling, SVG smuggling, and LNK file masquerading. Once installed on a victim’s system, the malware used a Scheduled Task as a persistence mechanism, allowing it to run every ninety minutes.
Once data is collected, it is transmitted to a Telegram channel that is monitored by the threat actor. This stolen information could be sold to the highest bidder or used for further malicious activity, such as deploying ransomware. Researchers have also identified striking similarities between Ov3r_Stealer and another malware strain known as Phemedrone stealer, leading them to believe that the two may be related, with Phemedrone being repurposed and given a new name.
During their investigation, SpiderLabs discovered various aliases, communication channels, and repositories used by the threat actors involved in distributing this malware. Forums such as “Pwn3rzs Chat,” “Golden Dragon Lounge,” “Data Pro,” and “KGB Forums” were found to be frequented by individuals going by aliases such as “Liu Kong,” “MR Meta,” “MeoBlackA,” and “John Macollan,” suggesting that a network of malicious actors may be involved in the distribution of this malware.
In response to the threat posed by Ov3r_Stealer, cybersecurity professionals recommend implementing a range of mitigation strategies, including security awareness programs, regular application and service audits, patching of vulnerable software, and continuous threat hunting to identify and eradicate undetected compromises within IT environments.
As this new malware continues to pose a threat to users, it is crucial for individuals and organizations to remain vigilant and take proactive steps to protect themselves from potential cyber threats.